As you may remember from several of my previous posts - RUBotted Popup and Microsoft Bulletins and Botnets,  just to name a few – that I use Trend Micro’s RUbotted regularly and recommend using it.

I’ve noticed that there is a continuous false positive appearing on my pop-up message every time I visit a specific forum I belong to on Bravenet.

Specifically, I receive this message:

(Click to see larger image)

Not only do I receive the “Botnet found” pop-up message when visiting the forum, I get the reported results that Trend Micro RUBotted has, “detected DNS query of malicious domain” without giving a IP address or a malicious domain to verify what’s up with that.

Since I’m running Trend Micro Internet Security, I don’t click the message to run House Call.  But I did run all my other tools to check for some kind strange botnet-like behavior on my machine.  And that included checking all my open connections on my computer to see if there was something running in the background that I wasn’t aware of.

But, alas and alack, there was nothing.

So that led me to start researching what the heck this message might be related to.  I researched the message, “detected DNS query of malicious domain” only to find others experiencing the same kind of problem but on different sites.

I then started looking for the trigger point of this message on the forum I belong to – which has led me to the conclusion that this is a false positive for me.

Now don’t get me wrong, there are sites that will trigger this because an advertisement or hidden code in the site page programming could be triggering it. So don’t assume that all the “detected DNS query of malicious domain” messages are all false positives. THEY ARE NOT!

For those of you who are bit more technically inclined than others, let me explain how I researched this so you can do your own bot check on a site triggering the RUBotted pop-up.

Once I was in the forum on Bravenet and I received the pop-up message that there was a botnet found, I accessed the View Page Source to see the coding behind the page I was seeing.  I looked at every single link to see if there was some outside IP address or outside website that this would trigger. All references in the links on the page referred to the forum at bravenet’s website.

However, on certain pages, there are links to websites from people writing in the forum and upon researching one of those links, I found that it had been listed as a potential malware site.  So, it isn’t necessarily the site you’re visiting that creates the false positive, it could be something on the page itself, or a link to a potential or known malware site.

There are also questions raised out there that Bravenet itself is a malicious site, but because it hosts FREE forums on the site, there’s no doubt in my mind that someone may have set up a forum with the intent of directing people to a malicious site.  But I went to Bravenet the dot com and did not receive the RUBotted message pop-up. So it was definitely not that site that was the malicious domain.

The take away point of this post is, sometimes you will get false positives.

When in doubt, assume the worse unless you know with all certainty that the site you are on is indeed safe.  In my case, the forum I belong to is an invitation only forum of professional people.

Remember, advertisements such as Google ads and others can alternate malware advertisers on a site that would trigger RUBotted. So if the site you’re visiting is heavily laden with advertising, you can safely assume that it was an ad that triggered the query of a malicious domain.

As I say repeatedly, ALWAYS err on the side of caution when it comes to security!  And I think Trend Micro’s RUBotted does that.

I hope this has helped resolve some of the confusion out there.

There are a lot of things that I encounter that most people don’t due to the nature of my work.  And honestly, many of the problems I’m called upon to fix can be avoided by taking simple steps to practice what I’d like to think is “common sense” security with a healthy dose of mild paranoia.

That being said, I’m going to relate to you, my top 5 Facebook security tips to help you learn some of these common sense techniques while employing that healthy dose of mild paranoia.

Tip #1: Assume that Facebook (or any social network for that matter) is not secure.

I know you read all the social networking articles about how Facebook has upgraded their security, changed their security settings to protect you better, and so on and so forth.  However, there are about the same amount of news articles being posted of how the Facebook security settings didn’t work as they were intended which allowed everyone to view your profile information or your friends, how some hacker accessed Facebook account information on hundreds (and thousands) of users exposing login information and other personal data, and the list of flaws could go on.

The point is, as long as there are hackers and identity thieves, there will be flaws in even the most promising security. Assume that nothing is secure.

Tip #2: Don’t post anything you would not want a stranger to see.

Just recently, a friend of mine saw that two of his Facebook connections had posted their new cell phone number on their wall. When my friend decided to call them out on such behavior, the two friends replied that only their select friends could see the post based on the security setting used when posting.  See Tip #1 above if you believe that the information you’ve posted and set to secure is indeed secure.

Tip #3: Social Engineering is the hackers tool of choice.

Social engineering is the art of becoming friendly with a person and thereby gaining your trust. Once trust is established, the hacker can then casually get you to disclose your personal information easily and effortlessly.

As part of my student’s assignment in my computer security courses, they are taught how to employ social engineering and have the assignment of just watching for signs that someone is using it. One student took those skills to a cell phone kiosk and while chatting casually with a woman about a cell phone she was using, gained information about her 4 digit pin code to lock her phone and that she used that number for everything including ATM machines.  By the end of the conversation, he knew where she worked, her full name, and what she did for a living. He did all this by pretending he wanted to buy the phone she was holding in her hand! He was shocked not only by the fact that he was able to effortlessly get this information out of her, but that he, with little training was able to accomplish it.

Keep in mind that most hackers don’t need complex scripts or tools to betray you. You give them the information freely every day.  And if you have any doubt about that, think about how many times you hear people disclosing personal information while on their cell phones near you!

Tip #4: Pay attention to your friends.

The biggest sign that something isn’t right is when your friends start behaving in ways that are not common for them to behave. What I mean by that is, recently, I had one of my Facebook friends inbox me that she was in the U.K. stranded and needed some money to get home.  As it turned out, her account was hacked and this message went to all her friends.  I knew she wasn’t in the U.K. but had just launched a new solo business. Because I was paying attention to her posts and the way she interacts, I didn’t fall for the scam.

Many times, account hacks are not so easily detected. For example, a teen received a link from a friend in Facebook chat. The friend always sends various links to him via the chat. The sad news was that the link was to a malware site that totally destroyed his laptop.  This situation leads me to Tip # 5 below.

Tip #5: Always err on the side of caution.

This is where the healthy dose of paranoia comes in.

As in the case of the teen given the link from Tip #4 above, the teen should always respond back to the friend before clicking the link.  If the hacker is on the friends account, one of two things will happen. Either he/she won’t respond back to the chat ping, or they will not be able to answer the question regarding the link properly.

Let me explain.  Let’s say that this teen and his friend normally share links having to do with monster trucks because they both love them. But they hate cross-overs and SUVs.  The teen could have responded to the chat link with the following message, “Is this another video about that awesome Cadillac Escalade?”  A hacker, not knowing that their being baited, will respond, “Yes!”  Thinking that this should be the appropriate response. If the friend legitimately sent the link, then the friend will definitely ask you if you are a hacker on the account because his friend would never respond like that!

The point is, there is a way to test your friends using very intimate details about your relationship that only the two of you know and has not been publicly announced on your Facebook wall. Obviously, if this teen and his friends bash cross-overs or SUVs, then this example might not work. But I think you get the picture.

Remember, security is a process – not an endpoint.

Well, what do you think?

I half expected an announcement, but I was pleasantly surprised when I opened my Artisteer (#1 WordPress Theme Generator. Instantly create great looking and professional WordPress Themes).* software to find an update available.  They are now supporting WordPress 3.0! YEA!

I haven’t looked at it yet, but I’m sure it will be fantastic.

Our blog layout was designed using Artisteer software (as well as many custom designs for our clients) and I was so disappointed when they didn’t immediately support WP 3.0.  I upgraded my clients but I couldn’t update their theme to take full advantage of the new features in 3.0.

But alas, this is not a problem now!

I will be using the new Artisteer (#1 WordPress Theme Generator. Instantly create great looking and professional WordPress Themes).* today and I will let you know how well it works.  And, you’ll know it’s working well when you see our theme upgraded too! I’m so excited! (I know, it doesn’t take much!)

Oh, and I was so happy to see the new support, that I even upgraded my version of the software so I’m now able to design for Joomla, Drupal, DotNetNuke, and Blogger! Sweet!

*TIIM: The links in this post and on the right side of this blog are affiliate links. I so believe in this software (because I personally use it!) that I’ve joined the affiliate program!

This post will probably affect maybe 1% of our readership, but I felt it worthy of posting anyway.

I have been having problems for quite some time using HootSuite for my social networking in both Firefox and IE 8 browsers. I finally found that it worked best in IE8 if that was the only thing running. Meaning, I didn’t have other tabs open like I so often do with Firefox. And, I can run IE 8 with HooteSuite while having my Firefox open with all the tabs I want without interference.

This morning, I made an amazing discovery! I had HooteSuite running in my IE and I had opened Firefox to log in to my BlogTalk radio show. Panic set in!

BlogTalk radio would not load properly and even when I tried to call in to the switchboard, the phone call would not connect and my switchboard items became dimmed out.  (Now why the calling part would be related to the online switchboard I don’t know.) With less than 3 minutes to show time, I started panicking!

I don’t know what made me shut down IE and HootesSuite, but as soon as I did, I was able to connect to the BlogTalk radio switchboard and my call went through!

When I decided to write this post, I went back to each page – HooteSuite and BlogTalk Radio – and looked at the page sources to see what might be conflicting.

Both sites use JavaScript but I’ve never had a problem having multiple tabs open with JavaScripts running on each page. Even the most complex JavaScript doesn’t seem to be resource intensive by any means.

The problem appears to be Flash. I don’t know whether each of these sites are so Flash intensive that the browsers (both IE and Firefox) can’t handle it, or whether there is a conflict with the resources being used by each and the way the browsers manage it.

Even now as I type this post, I have the radio switchboard open in one tab and HooteSuite open in another and I’m getting a lag in the typing here in the WordPress blog tab.  It seems to happen when either HooteSuite is updating the tweets, or when BlogTalk radio refreshes the page for the advertising at the top. Which appears to be handled by JavaScript so I’m really confused!

Anyway, I wanted to put this out there so anyone who might be having a problem using HooteSuite might benefit from knowing that you may have to restrict using it with other resource intensive sites.  At least until we can upgrade to such a powerful computer that it won’t matter how resource intensive a web app is for the browser! (Where is an affordable terabyte processor when you need one? )

So, if you’ve been kicked out of our radio show chat or lost your sound during a show, make sure that you’re not running HooteSuite in the background while you’re listening to the show live. I bet you won’t experience any problems during the show!

BTW, I know that friend of the show, Charles Taggart, uses TweetDeck during the show and he has never reported being kicked out of the live chat nor losing sound. (Yes Charles, I’ve heard the chirps over our phone conversations! LOL) So, whatever the difference is between how TweetDeck and HooteSuite is programmed to work, is where the problem is.

And I’m not going to blame the browsers on this one! Are you surprised? (GRIN)

Over the weekend the roomie notifies me that not only did Trend Micro catch a few Trojan viruses, there appeared to be some malcode in his Firefox folder!

First, the Trend Micro results prompted the roomie to do a full Malwarebytes scan.  That turned up the interesting results shown below.

(Click to view full image)

Trend Micro had by this time quarantined or deleted some of the other files.  All were the same Trojan with variant extensions.

Notice in the image above, that the worm and Trojan agent are found in what is usually the “typical” installation of Firefox. If you install Firefox on a Windows computer, it will put Mozilla Firefox folder in the Program Files. But notice I also said, a “typical” installation of Firefox!

My roomie is aware of the dangers of the web. He’s no stranger to this stuff. (Wonder why?)  So, he NEVER installed his Firefox browser on his computer. Instead, he uses the Portable Apps version that is on his Flash Drive or USB stick.

It never was a typical installation – which may have been what saved his computer from a whole lot of damage!

The files that were found beneath this folder give me an indication that this was a theme or persona he tried out when the new Firefox was released.  The install.rdf resembles – somewhat – the typical install.rdf in a theme with some minor alterations to the file. (Please note: I’ve saved the original files as TEXT so you can see what I see.)

There were a few other files that I will need to open in another program to read as they are not text readable.  Not sure exactly what kind of code it is yet and frankly, it doesn’t look like it’s even English programming code.  But if anyone from Mozilla would like the files, I’ll be happy to turn them over to someone in that community or to any security researcher.

There was another strange code inside a folder which was structured like this: C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul.  As far as I can remember, I do not remember seeing a timer anything in Firefox files.

So, I opened that up in my text editor to find this:

This code led to a site that does not have a home page if you back out the extraneous stuff after the .com.  So, full security enabled, I went to the full link to be displayed a blank page. However, I right clicked on that page and saw that there was code beneath the blank white page.

This:

PLEASE DO NOT ACCESS THESE SITES ON YOUR OWN! I have a high level of security on my test machine and do not put my own private PC at risk.

I won’t get into the details of what the code does but suffice it to say that it’s really redirecting you to the site specified in the code.  And guess what Trend Micro says about that site?

Interesting that if you do a search on this website, it’s listed as everything from web search hijacker to a virus!

And it’s run by some shady characters.  Just look here – it’s safe – http://www.robtex.com/dns/mysearchcorp.com.html.

Okay, so we tracked down the bad guys. The point is how did this get into my roomie’s computer?

He was downloading and trying on different Themes and Persona’s.  And due to the fact that all the code points to a directory on his computer that should have never been created because he uses Firefox on his flash drive, AND the fact that it created an install.rdf and a few other files synonymous with a theme.  Plus the fact that the timer.xul has references to an “overlay” and a blacked out background makes me also suspicious.

When my roomie went back to Trend because we couldn’t see the network shared folder so he could pass on these files to me, it was discovered that all his Network Protocol entries under his firewall settings had been damaged or deleted. He had to uninstall and reinstall Trend Micro once again.  In all my years of working with Trend Micro, I’ve never seen anything take out the protocols under the firewall before! Very scary!

Lastly, he tells me that around this time, he may – or may not – have had his Trend Micro RUBotted trigger when he was visiting sites.  Bad sign!

Since many of the files were damaged or deleted in the scans, I can’t say with 100% certainty that this was a theme or persona. But I am saying BE CAREFUL in case it is a new attack vector. We’ve seen some Firefox add-ons removed due to their containing malware in the past. Did the jerks move to persona’s and themes next?

Just a quick note because I covered all the shortcut / Icon patch info in my Critical Update Newsletter today.  (Maybe you should sign up too – especially if you’re being misinformed by others!)

But there is misinformation circulating about the Microsoft unscheduled patch today. Several sites I’ve visiting said that the folks who are still using Windows XP SP2 will be out of luck. That is NOT true!

As I stated in my previous post about Windows XP SP2 rumored extended support, this kind of patch falls under the EXTENDED Support that continues for XP SP2 until April 8, 2014.

And to prove I know what I’m talking about, just go directly to the Microsoft Patch site and see for yourself! It says:

System Requirements

• Supported Operating Systems: Windows XP Service Pack 2; Windows XP Service Pack 3

So, if you would like to fix you system with the patch and are using Windows XP SP 2 or SP 3, you can go here and get it without waiting for the auto-update:

http://www.microsoft.com/downloads/details.aspx?familyid=12361875-B453-45E8-852B-90F2727894FD&displaylang=en

Some disturbing news hit the wires yesterday late in the afternoon that I really need to make you aware of.

As we’ve discussed in our recent radio show broadcast on Technical Tidbits in the Social Media Remorse episode, many of us are using smart phones to engage and keep up-to-date. Besides being a quick way to respond – and not always thinking before we do as that episode points out, there’s yet another danger that has been brought to light by a Free Mobile Security provider for Smartphones – Lookout.

The AP reported that Lookout has found that many of the apps you use on your iPhone and Android enabled smart phone, are sending back some of your personally sensitive data and forwarding it to third parties without your consent or knowledge.

The AP article, What your phone doesn’t say: It’s watching, Reporter, Jordan Robertson states:

Lookout Inc., a mobile-phone security firm, scanned nearly 300,000 free applications for Apple Inc.’s iPhone and phones built around Google Inc.’s Android software. It found that many of them secretly pull sensitive data off users’ phones and ship them off to third parties without notification.

The article points out:

The data can include full details about users’ contacts, their pictures, text messages and Internet and search histories. The third parties can include advertisers and companies that analyze data on users.

The information is used by companies to target ads and learn more about their users. The danger, though, is that the data become vulnerable to hacking and use in identity theft if the third party isn’t careful about securing the information.

This is a disturbing piece of information for all smart phone users! And it’s not just the new evil-doers of wifi data collection Google! Apple’s apps are guilty too!

Well, Microsoft, move over! You’ve got company on the “evil” sofa of software developers in the hall shame!

And shame on the app developers and the third parties collecting this data! You’re all GUILTY in this one!

A special thank you to Lookout, Inc. for discovering this! I’m glad someone is watching!  (And no! The links are not affiliate links! The software is free!)

Read the full article: What your phone doesn’t say: It’s watching

I had read somewhere on another blog (or maybe it was twitter?) that allegedly Microsoft XP had extended the support for SP2 on the day it was set to expire – July 13, 2010.

Now maybe I read the other blog (or tweet) wrong, or maybe the blog owner (or tweeter) was confused. I don’t know which is true.

But here’s the truth about Windows XP SP2 and Windows 2000 support straight from Microsoft.

Extended Support

During the Extended Support phase for Windows XP, Microsoft will continue to provide paid support and security updates at no additional charge. Extended Support for Windows XP will retire on April 8, 2014. (Source: Microsoft)

So what does ‘Extended  Support’ mean?

Support options for Windows XP SP2 after July 13, 2010:

• Customers will have access to limited break/fix troubleshooting for Windows XP SP2.
  Note: If the support incident requires escalation to the product development teams for further guidance, requires a hotfix, or requires a security update, customers will be asked to upgrade to a supported service pack.
• Customers with a Premier Support agreement also have the option of purchasing Custom Support while they migrate to a supported product or service pack. The Custom Support offerings include access to security hotfixes.

(Source: Microsoft)

What You Should Do

If you are like me and have no desire to upgrade your equipment and you like XP, you can keep it. But you should update to SP3.

Now, there’s a trick to that.  I have experienced, as have my clients and students, a HUGE slowing of the system once you upgrade to SP3 over a current system.  I don’t know why, it just happens. But, if you reinstall the operating system and upgrade to SP3 on a clean system, the slow down doesn’t happen. Again, I don’t know why.

If you’ve had that happen and you uninstalled SP3 because of it, then I suggest you do what I did.

• Back up your important files that you need saved.
• Make a list of every software you have installed on your system and make sure you have reinstall disks or know where to get the reinstall information.
• Check your device manager and make sure you know what drivers you’ll need upon re-installation by knowing the devices you have on your system.  If you have a major manufacturer’s system, like Dell, HP, and so on, you can usually download all your drivers from their support site. Download them BEFORE you do this and burn them to a CD uncompressed or unzipped.  That way, if you can’t access the Internet due to a missing driver, you have all of them handy!
• Confirm that you have all the license numbers for all your software.
• Back up your email program if you use something like Outlook or Thunderbird. (Web-based e-mail on Yahoo or Gmail does not disappear. It stays on their servers. You just need to remember your login information.)
• Reinstall Windows XP clean and update to SP3.
• Reinstall your programs and put your files back.

Making it Easier

You can use a program like Belarc Advisor to run a scan of your system and print a report to tell you what software is on your computer, the drivers you’ll need to have a copy of and other important details.  It is free.

Also, please be aware that this program may set off your security software. Rest assured that it is not a virus or malware. It has to do with the way it scans your system for the reporting. It performs certain functions that mimic malware which sets off your software.

If You Do Not Have A Windows XP Install CD

If you want to do this and do not have a Windows XP Install CD, use the Contact Page to contact me.  I will help you out.

I cannot give you a license key however. You need that long code (I think it’s 24-characters?)  that’s usually on the side or back of your computer. That’s your Windows Key for installing. But any Windows CD will work to reinstall your OS as long as you have the right version and the key.

So, if you have Windows XP Home and the key sticker on your machine (or somewhere in your paperwork), you can borrow your neighbors CD to reinstall using your key.

If you have Windows Media Center and your neighbor has XP Professional, you cannot use the disk with your key. It has to be EXACTLY the same version to match your key.

Occasionally, you will have to call the Microsoft support center to get a new installation number.   I don’t know what triggers that but I’ve had to do it several times. I think they now have my name in a database somewhere that says if this crazy woman calls, give her a key! When they ask me why I need a new key, I tell them I had to reinstall their lame operating system again because it crashed for the 100th time again! (SMILE)

So, there’s the truth about the Windows XP SP2 Support expiration.

The only thing Microsoft did do,  was extend the option to downgrade to XP from Windows 7 for a longer time.  If you are curious about that option, you can check out another blog post I found on the subject here:  One Microsoft Way.

A few posts back, I commented about signing up for the IM Faceplate new site.  And maybe today was the wrong day for someone to spam me with a phishing message.

I’m busy. I don’t have time for your lame a** attempts to treat me like I’m some kind of freaking idiot! But today is the day someone chose to send me my first phishing spam on IM Faceplate.

(Click to view larger image)

And yes, I did send that response.

I know, I know! You are never supposed to answer spammers. But I am just so sick of these morons!

I actually considered going to Yahoo and hacking this morons e-mail account and really mess them up. But when I stopped to think about it, I closed the browser tab and said it’s not worth my energy.  (But it did feel good to think about it for a brief second!)

What is worth my energy is trying to educate users that these kind of e-mails or messages are NOT legitimate! If everyone would understand that and STOP responding to them, they would quit because they wouldn’t be making any money!

These freaking idiots make money off unsuspecting users who think that they suddenly struck it rich. You contact them and give them your most intimate financial details so they can transfer millions into your bank account only to drain your account AND sell your information on the black market to even more people! Many of these kinds of scams are fronts for Identity Theft!

Spam and phishing will not stop until people STOP FALLING FOR IT! When there’s no money to be made by selling your identity on the underground, no bank access to funnel money out of your account, and no Western Union funds being forwarded to Nigeria, then these people will stop.  No one puts any effort into something that doesn’t make them money!

SO STOP RESPONDING TO THESE MESSAGES!

How much clearer do I need to make this?

Almost two years ago, I received an unsolicited US Postal mail envelope with a cashiers check for a sizable amount of money. Inside there was a letter from what looked like a legitimate “Secret Shopper” company telling me I had been selected to be  secret shopper. All I had to do was cash the check, and do some shopping. Then I was to report on my experience with these several companies I was to use the money for. The remaining balance of the check was mine to keep.

Having been in this business too long, I knew what was up. But the dead giveaway – in case I had any doubts – was the fact that I was to send $1,000 of this sizable check back to the shopping company via Western Union money gram and report my experience on the service at Western Union.

I turned the letter and check over to the postal authorities because fraud through the mail is a Federal offense. And wouldn’t you know it, the cashiers check was a forgery. The problem is that if I cashed it, the forgery would not have been detected for over 4 weeks – long after I may have spent all the money, which included sending it back to the shopping company via Western Union!

I don’t normally mix my metaphysical lifestyle with my technical work, but if you really are having financial difficulties, maybe you need to change your thinking and a message from a stranger promising you millions of dollars or even a fast way to get rich quick is not going to be the answer! Remember the saying? “If it sounds too good to be true, it probably is!”

If you are having so many issues with your finances, perhaps you need to change the direction of your life and your thinking. And that goes to the spammers and phishers out there too! Eventually, you will be caught or your means for making an income off the stupidity of other people will finally come to an end. Why don’t you think about changing the way your life is going? Come up with a legal way of making money. What a concept huh?

And for those of you who bemoan the “bad economy” you need a reset too!

If you’re ready to change careers or want to reset your thoughts, perhaps you might want to check this out.

And that’s all I’m going to say about that.  (And yes, it is an affiliate link. And yes, I’m taking the course myself.)

What you do with that link is up to you.

BUT! Do not believe for one minute that your luck has changed and respond to a phishing, spamming e-mail message! That advice will NEVER change!