Technical Tidbits™

Posts Tagged ‘Trend Micro’

This post is dedicated to Mary, one of our blog readers who actually called me and asked me how to block the mal-ads because her TrendMicro RUBotted was continually alerting her. Thank you Mary! It’s so nice to know readers are gaining value from what I write. You truly made my day today!

There are several ways to block the advertising mal-ad sites. I will start with the simplest ways first and work down to the more difficult and list the pros and cons of each method.

Easiest: The first, and easiest method I’ve found to block the malware pushing ads on even the most legitimate sites (tarot.com to name a huge guilty site that’s actually legitimate!), is to install Firefox web browser with the AdBlock Plus Plug-in.

Firefox: http://www.mozilla.com/en-US/
AdBlock Plus: https://addons.mozilla.org/en-US/firefox/addon/1865

Important Notes: If you are new to Firefox, Add-ons do not automatically install like ActiveX controls in Internet Explorer (IE). You have to click the Add To Firefox button, then, after it loads in the small window, click Install Now to complete the installation. This is actually a double security measure which is why Firefox is more secure than IE.

After the add-on installs it will ask you to restart Firefox. Firefox also saves your current tabs or window your browser was open to so reinstall without worries. You’ll open back up to the page you were on.

Once you install AdBlock Plus, you should see a small stop sign in the upper right corner with the letters ABP in the middle.

(Click on the image to see full view)

Clicking on the down arrow of the icon allows you to control ad blocking on the site or page you are on.

(Click the image to see full view)

Since I’ve installed this handy plug-in, I’ve not seen any RUBotted pop-ups and 99% of the ads I used to see are completely gone. Even all the ones at tarot.com!

Pros: Easy to install and use. Updates itself. No further user steps necessary once installed.

Cons: It also blocks some of the forms on web sites – particularly from Internet marketer sites but also some legitimate ones too. If you see something on the page that instructs you to enter your email address below and you don’t find the form, it’s AdBlock Plus blocking it. Just disable AdBlock for that page or site, refresh the page, and you should see your form available.

Next Easiest - If you are a die-hard IE user and you insist on using IE, Install Spybot S&D (Search and Destroy) from safer-networking.org (use a safer-networking mirror to download).

Once you get past running it the first time, open the program and change the MODE at the top menu to Advanced mode. It will prompt you with a message and click yes to that message.

In advanced mode, you will see 3 bars on the lower right pane of the window. Click Tools.

In the right window, check the box next to IE Tweaks and Host Files if they are not already checked. You will notice after checking them, IE Tweaks and Host Files links are available on the left pane. (I know they do not look like links, but they are!)

Click the Host Files in the left pane and you will see a different right window appear. Click the button to Add Host Files and the list will populate.

When the host files are complete, click the IE Tweaks link on the left pane. Check the box to Lock the host files if it is not already checked. Close Spybot.

Now when you go to IE, you should see this available from the Tools menu:

(Click the image for full view)

If you click that link, you will see that Spybot has installed the host files and is silently blocking the bad pages.

(Click the image for full view)

Pros: Easy to install, easy to use, and protects you from spyware with regular scanning. Plays nice with Lavasoft’s Ad-aware. And there are a lot of advanced features you can use if you download my free tutorial PDF from this blog post: Spybot Search & Destroy in Advanced Mode.

Cons: Unless you use the advanced configuration to schedule updates and scan regularly, you have to manually remember to do it. If Spybot is installed on a machine prior to installing Trend Micro, you have to uninstall Spybot first, install Trend and reinstall Spybot.

PLEASE NOTE: You cannot immunize with Spybot if you are using one of the major security vendors software! When you immunize, Spybot takes control of the files to monitor them from alterations. The major security software vendors do the same. What you end up with is a huge struggle between files and vendors and your computer slows to a crawl. If you immunized and are experiencing a crawling computer, undo the immunization. And it make take several tries to get fully cleared out but your computer speed will return to normal. Major security vendors are: TrendMicro, Symantec, Norton, McAfee, AVAST, Eset, Kaspersky, Panda, Webroot, and possibly AVG.

Next Easiest – Another one for the die hard IE users. Go to the following site and run the handy tool called, MVPS.bat

The site is: www.mvps.org and you want the zip file midway down the page.

This is a batch file (Dos file) that installs the most recent host files (bad websites) into the appropriate place. The command window will pop-up and tell you it’s done.

Pros: Very simple to install.

Cons: You have to check back frequently with this site because the host files change and require you to update them manually. For every malware site they find or is shut down, ten more appear. So you have to remember to check back frequently.

More difficult and not free. Install Trend Micro Internet Security.

Trend blocks the major mal-ad providers as I illustrated in a previous blog post:  New Trend in Trend

Pros: Effective against most mal-ads, extremely affected against malware, with added security features of Firewall protection, spam protection (Outlook spam toolbar), and a scan to check your windows installation for missing security patches. Works regardless of the browser of you are using.

Cons: It’s not free, although competitively priced.

Most Difficult. The most difficult and most time consuming is to manually add the list of known ad servers to your IE restricted zone.

There are several sites that list the known host files including a text version of the MVPS.bat file.

I list some of the sites here:
http://www.mvps.org/winhelp2002/hosts.txt
http://www.malwaredomainlist.com/mdl.php
http://www.malware.com.br/lists.shtml

To manually add the host files into your restricted zone, you can add them through the Interent Options settings in your Control Panel, or through the browser (IE) itself under Tools – Internet Options. Click on the Security Tab, and select the Restricted Sites Icon. Click the Sites Button to add whatever sites you wish to restrict.

Pros: You can customize the list to allow you to view specific ads.

Cons: Tedious, time consuming, and still requires manual updating.

Now, there are many other methods for doing this which gets into more complicated explanations. So my geeky readers, don’t be emailing me telling me I left out this and that because I meant this to be a quick tutorial for my not-so-techie readers.

Mary, I hope this helped and again, thank you for the phone call!

And as a reminder to Mary and others reading this blog, we are getting the courses back online and will have a huge announcement soon. The training area is located at: http://training.mice.org

Please feel free to leave a comment if you found this information valuable!

You may remember my earlier post: On Botnets, Lie and Corporate BullS#&t, or perhaps you saw the New Trend in Trend post where I discussed the fact that not only were mal-ads being served up through the ad servers, but that my Trend Micro was actually blocking them!

Well, alas and alack, this weekend there were some interesting developments along these lines.

I’ve been a bit of a funk lately and took the weekend off to play my online games and catch up on some personal reading. I have this tendency to leave my MySpace Mafia Wars* open in one tab, while I go look at other sites so I can wait until my 3 hours are up to collect on my Cuba Business! Those of you who play Mafia Wars know what I’m talking about! (GRIN)

Anyway, I had Mafia Wars open on one tab and then opened Tarot.com on the other so I could read my horoscope and find the SuperKC for the day. (Don’t ask! But if you’re interested: Click here for a FREE Tarot Reading**) I walked away from the computer to grab a cup of coffee or something, and when I returned, my Tarot page was switched to the following:

Now, you might say, Debbie, how do you know it’s tarot.com that delivered the malware? Glad you asked that! Because, other people were reporting the same in the forums!

I also tried for several hours to reproduce the behavior as I was running my screen capture program and here’s what I discovered!

It’s very difficult – if not impossible – to catch this bugger in the act because of the way the many ads and ad programs they are running rotates. I was able to capture at least 11 different ad servers that were rotating on that site. Specifically:

• a367.yahoofs.com
• ads.lucidmedia.com
• ad.reduxmedia.com
• pixel.quantserve.com
• s7.addthis.com
• m1.2mdn.net
• doubleclick.net
• googleads
• ak.imgfarm.com
• clk.atdmt.com
• img.mediaplex.com

As I would refresh the page trying to get the mal-ad to show up again, these 11 ad servers (and more) would rotate on the page and also rotate the ads they were showing. Therefore, there are hundreds, if not millions of different possible ads that could show up at any given time on that site and individual pages!

I spent nearly 2 hours refreshing the various pages to no avail. I could not capture the mal-ad again.

But this clearly demonstrates how slick this method of pushing malware through the ad servers is!

In case you do not remember, the anti-virus scanner is one of those Trojan downloaders – AKA Drive-by downloads – that are so hard to get rid of!

If you are using Firefox – make sure your options are set correctly to help avoid these drive-bys. The first setting is to adjust your Main tab to show the download and always ask you where to save it. This gives you the heads-up that the drive-by is trying to install, AND, you can then cancel it before it installs or saves itself to your temporary folder. IE saves a copy to your temp folder long before you ever get a pop-up notice that it even blocked it. By then, it’s too late!

See the section with the red line around it below to adjust yours as I have mine adjusted:

Also, allow Firefox to protect you by blocking known bad sites by altering your Security options as follows:

If you are still stupid enough – AND YES, I CALLED YOU STUPID – to be using Internet Explorer, and you get caught with this drive-by download, (because there are other sites still dishing it out!) then go to MalwareBytes.org and download their free tool to remove it.  I am not an affiliate of this company, I don’t make any money off recommending their program to you, I just know that I’ve used it to remove these drive-bys from my clients machines. And to be honest, it’s the only thing I found that works!

Now, one final point of clarity, if this is the first time you’re reading about any of this information and you just now found our blog, then I do apologize for calling you stupid. You’re not. You are in fact very smart for finding us!

However, for the numerous amount of readers that we have on a repeat basis, if you are still using IE after I’ve preached, and shown you how dangerous it is, then you fit the stupid category! Strong words, Yes. But I don’t know what else to do to get you to listen to me!

These problems perpetuate because you are not protecting yourself! You are not educating yourself! You owe it to every other Internet citizen to stop the insanity by making this kind of behavior unprofitable to the people who send this crap out!

Okay, I’ll get off my soapbox now. Enough said?

*Please feel free to add me as a friend if you play MySpace Mafia Wars!

**TIIM This is my affiliate link to tarot.com. I earn Karma Coins if you sign up.

CORRECTION ADDED 10/11/09 Addthis.com is not an ad server! Thank you Joel for setting the record straight and thank you for letting us know!

I’ve been getting this question from family and friends as the buzz is around the Internet that this is going to be a big thing on April 1st.

The truth of the matter is, at last check, researchers had no idea what this thing was going to do. So I’m wondering why suddenly it’s a big thing? So, I did some more research on my own and supposedly, some people are saying it’s set to go off on April 1st but others have not mentioned it. So it makes one wonder if there’s too much hype.

According to Microsoft’s information posted:

What Happens on April 1, 2009?

Systems infected with the latest version of Conficker will begin to use a new algorithm to determine what domains to contact. Microsoft has not identified any other actions scheduled to take place on April 1, 2009. It is possible that systems with the latest version of Conficker may be updated with a newer version of Conficker on April 1 by contacting domains on the new domain list. However, these systems could be updated on any date before or after April 1 as well using the “peer-to-peer” updating channel in the latest version of Conficker.

(Source: http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx)

That’s all it’s set to do, update. And I believe what people are panicking about is just what is the update going to tell it to do?

You know, it’s April Fool’s day. Maybe it’s going to shoot out a message that say’s “Psych! Had you going!” Or maybe, “Ballmer Sucks!” I’d pay to see that one!

I know I’m making light of the subject but the truth is that we don’t know what it’s going to do! It’s that simple! The fervor with which the rumors are spreading is ridiculous! It sounds like we’re at the eve of 2000 again.

If you’re paranoid and this new worm has you frightened, then educate yourself. Yes, a shameless advertisement for our courses. Take one! Learn! Otherwise you’re a victim to every pundit who writes for the news.

First of all, let’s get the concept of a worm straight. As my students know, a worm is not like an ordinary virus that requires a user to do something to activate it – like in opening an e-mail or something like that. A worm does not require human intervention, it moves perfectly well on its own.

Secondly, if you are running a reputable Antivirus software program the worm is being detected in the scans, so you should be fine.

When I say reputable, I’m not discounting the free antivirus programs. Avast and AVG have confirmed they are protecting you.

http://forum.avast.com/index.php?topic=41900.0
http://viruslab.blog.avg.com/2009/01/downadupconficker-worm.html

The other major manufacturers are reporting the same.

What bothers me the most in the reporting of this worm, is that thousands if not a million computers are infected with this worm. If that’s true, then are you telling me that hundreds of thousands of users are not using virus protection??? That scares me more than this worm does!

Okay, so if you’re running AV protection, you’re somewhat safe. But the real fact of the matter is, you need to protect yourself by getting Microsoft’s MS08-067 security update, and disabling Windows’ Autoplay and Autorun features. (Although I refuse to disable my autorun, autoplay features personally. And, I would like to think I’m relatively certain that I don’t have the worm. But I’ll do a double check to make sure.)

The patch is available here: http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

The reason they recommend to disable auto play and auto run features is because the worm might spread through file sharing and through removable drives, such as USB drives (also known as thumb drives). The worm adds a file to the removable drive so that when the drive is used, the AutoPlay dialog will show one additional option.

For example, here is my normal auto-play screen:

This is the one with the extra worm file on top of the normal windows explorer option:

If you select the first option, the worm executes and can begin to spread itself to other computer.

Currently, this worm has infected thousands of computers – not the millions as previously thought.

Now, for my techie friends and advanced students: the worm signature has been found. Yes! That’s right! The signature has been found and reported on yesterday. And guess what tool you can use to find it? One from our advanced class! NMAP!

Because the signature runs on anonymously on the surface, you should be able to pick it up with NMAP. However, there is a proof of concept scanner available here if you’d like to test it out: http://iv.cs.uni-bonn.de/uploads/media/scs.zip

This PoC has been developed because of the help from Dan Kaminsky, our love/hate security guru! I say that tongue-in-cheek Dan! (SMILE)

Now, for the average person again:  What are the signs that my PC has been hit? Microsoft’s advisory about Downadup, or Conficker lists several symptoms of infection, including these:

Account lockout policies are being tripped (because your password’s been hijacked, and changed, by the attacker).

Account lockout policies being tripped is a technical security explanation for the fact that you get locked out of your own resources. Whether they are your own computer, your router, and your programs. For the average user, it’s when you enter your password that you know is right, then an error message pops up claiming that you entered the wrong username and password and you’re sitting there saying, “WTF?”

Automatic Updates are disabled (because Conficker tries to keep the PC unpatched by turning off Windows Update’s automatic update, as well as Background Intelligent Transfer Service (BITS), the Windows component used by Windows Update to actually deliver the updates).

You can actually check to make sure that these are running by:

1. Right click over you’re My Computer icon and choose: Manage.
2. Navigate to: Services and Applications.
3. Click the plus sign to get to: Services.
4. Once you click on Services in the list, you should see the list of services in the right side of the screen. They are in alphabetical order.
5. Automatic Updates and Background Intelligent Transfer Service (BITS) should be set to automatic and started. BITS may be manual and not running but that’s okay as long as the Automatic Updates are running.
6. If you have your auto updates turned off, please use the link above to get your patch!

Various security-related Web sites cannot be accessed (because Conficker blocks access to a whole host of security companies’ sites in an effort to prevent antivirus software from being updated, which could result in the worm’s detection and eradication).

More technical information from Microsoft:
The following system changes may indicate the presence of this malware:

• The lack of response from, or the termination of, the following services:
  • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)
  • Users may not be able to run applications containing the following strings:
    autoruns
    avenger
    confick
    downad
    filemon
    gmer
    hotfix
    kb890
    kb958
    kido
    klwk
    mbsa.
    mrt.
    mrtstub
    ms08-06
    procexp
    procmon
    regmon
    scct_
    sysclean
    tcpview
    unlocker
    wireshark
  • Users may not be able to browse certain security-related Web sites with URLs that contain any of the following strings:
    agnitum
    ahnlab
    anti-
    antivir
    arcabit
    avast
    avgate
    avira
    bothunter
    castlecops
    ccollomb
    centralcommand
    clamav
    comodo
    computerassociates
    conficker
    cpsecure
    cyber-ta
    defender
    downad
    drweb
    dslreports
    emsisoft
    esafe
    eset
    etrust
    ewido
    f-prot
    f-secure
    fortinet
    free-av
    freeav
    gdata
    grisoft
    hackerwatch
    hacksoft
    hauri
    ikarus
    jotti
    k7computing
    kaspersky
    kido
    malware
    mcafee
    microsoft
    mirage
    msftncsi
    msmvps
    mtc.sri
    networkassociates
    nod32
    norman
    norton
    onecare
    panda
    pctools
    prevx
    ptsecurity
    quickheal
    removal
    rising
    rootkit
    safety.live
    securecomputing
    secureworks
    sophos
    spamhaus
    spyware
    sunbelt
    symantec
    technet
    threat
    threatexpert
    trendmicro
    trojan
    virscan
    virus
    wilderssecurity
    windowsupdate
  • Users may experience a Web browser time-out error when attempting to access URLs containing the following strings:
    avg.
    avp.
    bit9.
    ca.
    cert.
    gmer.
    kav.
    llnw.
    llnwd.
    msdn.
    msft.
    nai.
    sans.
    vet.

(Source: http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.D)

For more about technical signs of the worm see:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOWNAD.KK&VSect=T

All of your current AV programs should detect it! But definitely patch your system!

Debbie

Related Resources:
http://www.infoworld.com/article/09/03/09/Hackers_update_Conficker_worm_evade_countermeasures_1.html

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOWNAD.KK&VSect=T

http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

http://technet.microsoft.com/en-us/security/dd452420.aspx

http://www.theregister.co.uk/2009/03/30/conficker_signature_discovery/