Technical Tidbits™

Posts Tagged ‘rubotted’

This post is dedicated to Mary, one of our blog readers who actually called me and asked me how to block the mal-ads because her TrendMicro RUBotted was continually alerting her. Thank you Mary! It’s so nice to know readers are gaining value from what I write. You truly made my day today!

There are several ways to block the advertising mal-ad sites. I will start with the simplest ways first and work down to the more difficult and list the pros and cons of each method.

Easiest: The first, and easiest method I’ve found to block the malware pushing ads on even the most legitimate sites (tarot.com to name a huge guilty site that’s actually legitimate!), is to install Firefox web browser with the AdBlock Plus Plug-in.

Firefox: http://www.mozilla.com/en-US/
AdBlock Plus: https://addons.mozilla.org/en-US/firefox/addon/1865

Important Notes: If you are new to Firefox, Add-ons do not automatically install like ActiveX controls in Internet Explorer (IE). You have to click the Add To Firefox button, then, after it loads in the small window, click Install Now to complete the installation. This is actually a double security measure which is why Firefox is more secure than IE.

After the add-on installs it will ask you to restart Firefox. Firefox also saves your current tabs or window your browser was open to so reinstall without worries. You’ll open back up to the page you were on.

Once you install AdBlock Plus, you should see a small stop sign in the upper right corner with the letters ABP in the middle.

(Click on the image to see full view)

Clicking on the down arrow of the icon allows you to control ad blocking on the site or page you are on.

(Click the image to see full view)

Since I’ve installed this handy plug-in, I’ve not seen any RUBotted pop-ups and 99% of the ads I used to see are completely gone. Even all the ones at tarot.com!

Pros: Easy to install and use. Updates itself. No further user steps necessary once installed.

Cons: It also blocks some of the forms on web sites – particularly from Internet marketer sites but also some legitimate ones too. If you see something on the page that instructs you to enter your email address below and you don’t find the form, it’s AdBlock Plus blocking it. Just disable AdBlock for that page or site, refresh the page, and you should see your form available.

Next Easiest - If you are a die-hard IE user and you insist on using IE, Install Spybot S&D (Search and Destroy) from safer-networking.org (use a safer-networking mirror to download).

Once you get past running it the first time, open the program and change the MODE at the top menu to Advanced mode. It will prompt you with a message and click yes to that message.

In advanced mode, you will see 3 bars on the lower right pane of the window. Click Tools.

In the right window, check the box next to IE Tweaks and Host Files if they are not already checked. You will notice after checking them, IE Tweaks and Host Files links are available on the left pane. (I know they do not look like links, but they are!)

Click the Host Files in the left pane and you will see a different right window appear. Click the button to Add Host Files and the list will populate.

When the host files are complete, click the IE Tweaks link on the left pane. Check the box to Lock the host files if it is not already checked. Close Spybot.

Now when you go to IE, you should see this available from the Tools menu:

(Click the image for full view)

If you click that link, you will see that Spybot has installed the host files and is silently blocking the bad pages.

(Click the image for full view)

Pros: Easy to install, easy to use, and protects you from spyware with regular scanning. Plays nice with Lavasoft’s Ad-aware. And there are a lot of advanced features you can use if you download my free tutorial PDF from this blog post: Spybot Search & Destroy in Advanced Mode.

Cons: Unless you use the advanced configuration to schedule updates and scan regularly, you have to manually remember to do it. If Spybot is installed on a machine prior to installing Trend Micro, you have to uninstall Spybot first, install Trend and reinstall Spybot.

PLEASE NOTE: You cannot immunize with Spybot if you are using one of the major security vendors software! When you immunize, Spybot takes control of the files to monitor them from alterations. The major security software vendors do the same. What you end up with is a huge struggle between files and vendors and your computer slows to a crawl. If you immunized and are experiencing a crawling computer, undo the immunization. And it make take several tries to get fully cleared out but your computer speed will return to normal. Major security vendors are: TrendMicro, Symantec, Norton, McAfee, AVAST, Eset, Kaspersky, Panda, Webroot, and possibly AVG.

Next Easiest – Another one for the die hard IE users. Go to the following site and run the handy tool called, MVPS.bat

The site is: www.mvps.org and you want the zip file midway down the page.

This is a batch file (Dos file) that installs the most recent host files (bad websites) into the appropriate place. The command window will pop-up and tell you it’s done.

Pros: Very simple to install.

Cons: You have to check back frequently with this site because the host files change and require you to update them manually. For every malware site they find or is shut down, ten more appear. So you have to remember to check back frequently.

More difficult and not free. Install Trend Micro Internet Security.

Trend blocks the major mal-ad providers as I illustrated in a previous blog post:  New Trend in Trend

Pros: Effective against most mal-ads, extremely affected against malware, with added security features of Firewall protection, spam protection (Outlook spam toolbar), and a scan to check your windows installation for missing security patches. Works regardless of the browser of you are using.

Cons: It’s not free, although competitively priced.

Most Difficult. The most difficult and most time consuming is to manually add the list of known ad servers to your IE restricted zone.

There are several sites that list the known host files including a text version of the MVPS.bat file.

I list some of the sites here:
http://www.mvps.org/winhelp2002/hosts.txt
http://www.malwaredomainlist.com/mdl.php
http://www.malware.com.br/lists.shtml

To manually add the host files into your restricted zone, you can add them through the Interent Options settings in your Control Panel, or through the browser (IE) itself under Tools – Internet Options. Click on the Security Tab, and select the Restricted Sites Icon. Click the Sites Button to add whatever sites you wish to restrict.

Pros: You can customize the list to allow you to view specific ads.

Cons: Tedious, time consuming, and still requires manual updating.

Now, there are many other methods for doing this which gets into more complicated explanations. So my geeky readers, don’t be emailing me telling me I left out this and that because I meant this to be a quick tutorial for my not-so-techie readers.

Mary, I hope this helped and again, thank you for the phone call!

And as a reminder to Mary and others reading this blog, we are getting the courses back online and will have a huge announcement soon. The training area is located at: http://training.mice.org

Please feel free to leave a comment if you found this information valuable!

I’d like to take this minute to publicly thank the donor who bought me a cup of coffee by dropping a tip in my tip jar! Thank you! That was very sweet of you and very much appreciated!

Sometimes it really bothers me to be right!

You may remember that throughout the RUBotted pop-up discussions and my predictions for the year, I stated that:

There will be a IWMD (Internet Weapon of Mass Destruction) launched sometime during this year. It will be considered a mashup blended threat because it will take advantage of the security flaws in a multitude of web apps and will propagate through ad servers.

The keywords in my rants and my predictions have always been that the new malware will be pumped through ad servers.  Remember that?

Well, it’s not the huge Weapon of Mass Destruction but it could be heading in that direction.

Microsoft issued a security bulletin today. And it seems there is a bit of a problem with the way Internet Explorer handles CSS. Yes, you’ve read that right. Cascading Style Sheets! A standard on the web!

In fact, here’s what their Bulletin MS09-002 says:

A remote code execution vulnerability exists in the way Internet Explorer handles Cascading Style Sheets (CSS). An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged on user.

And as they’ve told us repeatedly,  Microsoft knows all about security and all about web standards!

But this is not the BEST part!

The Mitigating Factors section or the conditions in which this vulnerability becomes a problem states:

In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

Now, what was it I said in the RUBotted pop-up discussion about ad servers possibly pushing the malware? Hmmm, maybe I’m not such a joke after all Symantec employee – huh?

The other part of that above quoted section makes me want to laugh myself off my chair.

In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

Dear Idiots at Microsoft, if the fracking thing can be exploited through hosted ads, nobody needs to be directed to a website! Nearly every freaking website has hosted ads now!

Am I the only one that sees how lame and ridiculous this is?

So needless to say, if you’ve got your auto-updates turned off as I do, then make sure you install the fix for this baby.  But since we know there will be more fixes just move to Firefox and be done with it!

For the technical information on the new release see: Microsoft Bulletin Summary for February.

On another note, the RUBotted issue. My pop-ups are not as frequent as they were in the beginning, but I’m still getting a few here and there.

I think I’ve found multiple reasons for the message and although I tried to contact TrendMicro through our partner program and their twitter account, no one is responding – so what else is new?

One web site set off my RUBotted pop-up and I found a piece of code in the header that could explain it. The code was trying to activate my Firefox Skype toolbar  – which I don’t have.

I’ve inserted the code at the bottom of this post so you can see it for yourself.

Upon researching what this does, I found that this code snippet is inserted by accident when someone is editing a web page and using the Skype toolbar add-on for Firefox.

However, since the Skype toolbar add-on makes it easy to call from FireFox, the JS file associated with this toolbar led me to believe that it was trying to activate something on the toolbar which set off RUBotted.

Remember, all the RUBotted pop-up messages claim that something is trying to launch a program remotely! And that’s exactly what the script does!

(To see the JS file associated with this script code, visit here: Koders Code Search.)

Next, I have seen several other pop-ups associated with Flash files on a web site – either ads or just plain flash files on a web site.

Did you ever notice how you can right click over a flash file and get to the settings?

Just go to adobe.com and there’s a huge flash section in the upper section. Right mouse click and select the settings.

The first thing that appears is the privacy settings and you can allow or deny flash player to access your web cam or microphone – if you have them – and I do.

What if, there’s something attempting to access the flash player on those sites that are giving us the pop-up?

I don’t have the answer yet because it’s very time consuming and quite difficult to go through every flash ad and try to reverse engineer it to find out what it’s doing.

But I was correct about the ad servers and malware, just didn’t know about the CSS vulnerability. How many other ad server vulnerabilities are there that we still don’t know about? Or is this someone doing some testing for the next round of malware?

So, who’s to say I’m not right about these flash pop-ups either?

There is one flaw in my thinking however. My housemate didn’t have flash player installed when he first got hit with his pop-up. And…. he doesn’t have a web cam nor a microphone.

But! Could his pop-ups have been related to the Skype toolbar issue? Or something else?

I’ve had several people contact me with theories and thoughts, and another big possibility is the attempt to launch your messaging program, chat, or instant messenger.

We continue investigating flash files, JavaScript files, and lines and lines of code!

Lot’s going on and trying to keep up with this changing security landscape!

Just in from a LinkedIn friend from Trend Micro group:

Trend Micro Security Labs has discovered that malware authors are already using Christmas themes as a social engineering tactic in an effort to gain control over compromised machines.

This campaign uses email messages in the form of e-greetings, leading to supposed animated postcards.
These actually lead to a Trojan backdoor that has been distributed in previous malicious spam campaigns.
The email messages, spoofed to appear as though they have been sent from postcards.org, display an animated Christmas scene.

---

Internet Evolution a tech site I belong to is having a contest regarding our top 5 predictions for 2009.

Here are mine that I posted today.

1. Twitter will either replace conventional messaging systems (AIM, Yahoo, etc), or the messaging systems will be adapted to facilitate the use of your twitter @twittername. (You can follow me: @debbiemahler)

2. There will be a IWMD (Internet Weapon of Mass Destruction) launched sometime during this year. It will be considered a mashup blended threat because it will take advantage of the security flaws in a multitude of web apps and will propagate through ad servers.

3. Google will post the Federal Budget for President-elect Obama proving that a) campaigning for a candidate can increase your business, and b) we just may be capable of transparency in government.

4. Steve Balmer will get hit with a pie (if not several) while giving a speech this year.

5. Microsoft will purchase Yahoo and ruin it like it does everything else giving Google a clear and leading advantage in the search engine business as well as advertising and free email.

So now it’s preserved on the web forever!

---

In a related story to our alert on the O day exploit, Information Week quoted TrendMicro as saying this:

Trend Micro says that the toolkit related to this exploit is being sold in the Chinese underground community and that files associated with this attack have been designed to steal information such as online gaming credentials.

According to Virustotal, a file analysis service, only 20 out of 38 listed antivirus applications detected the information-stealing malware.

Trend Micro also says that victims of this attack could become infected with a rootkit. (Source: http://www.informationweek.com/news/internet/security/showArticle.jhtml?articleID=212400523&cid=nl_IWK_daily_H)

Hey Trend? Any idea what’s causing your pop-ups on RUBotted? Or are you not concerned because I’m not a Chinese underground hacker?

But as an aside, I think I’m going to check my system for a rootkit just the same. Maybe that’s the RUbotted pop-ups??

---

And last but not least, one of my favorite Big Brother Browsers, Google Chrome came out of beta.

Congratulations to Google. I still don’t trust it and still won’t use it! But congratulations just the same!