advertisement acts like virus, how to fix and prevent security bug?

Support and discussions for the x86/x64 Linux version of Pale Moon.

Moderators: trava90, satrow

seahorse41
Newbie
Newbie
Posts: 3
Joined: Wed Aug 02, 2017 6:35 pm

advertisement acts like virus, how to fix and prevent security bug?

Postby seahorse41 » Tue Sep 05, 2017 5:59 pm

A page's usual javascript advertisement opened a new tab, but this time what it loaded acted like a virus. What is the correct way to undo it, and how to prevent this from happening?
Since I took screenshots, I have Detail:
The new tab first shows a url of hxxp://secure.calch.gdn/performance/bdv_rd.dbm?enparms2=

followed by a lot of comma delimited numbers that goes off the right side.
The popup says:

Authentication Required
A username and password are being requested by hxxp://138.197.4.141. The site says: "Internet Security Alert: Your Computer Might be Infected by Harmful VirusesnCall Windows Technical Support: (Toll Free) (866) 564-0233 (Toll Free)"

/end popup message.
If I press Cancel, it proceeds to load a page. If I press X to close the app, it ignores me. The only way to stop it was to kill it from a terminal.

Next it opens a page that plays an audio file that thankfully isn't with an indian accent like I get on the telephone, but the sales pitch is familiar. I think the fraudsters are expanding their reach... but back to the facts:

The page it loads is url: hxxp://138.197.4.141/as/?c59aedd2db77fa0ftfn1d59aedd2db783e=(866) 564-0233

including that parenthesis and space not auto-included in the A href tag. and again the popup with the Authentication Required title.
My concern is next the popup, is it a safety stop by the browser, or since cancel PROCEEDED to this second page, is is actually being generated by the page, and is a fraudulent deception? :shock:

After killing the browser, and restarting it, the 2nd page auto-reloads, but I don't want this!! It again has the popup, and does not allow me to click anywhere else.
I need to find the command line way to start in safe mode, since the help provided so far by google search requires a setting while the browser is open, which is not an option in this case.

Is this a security hole? Please investigate and advise.

edit: I found the -safe-mode option, so I answered that question myself.
Version is:
Debian 8 Linux , palemoon package 27.4.2~repack-1
Last edited by Moonchild on Tue Sep 05, 2017 9:14 pm, edited 1 time in total.
Reason: Links killed to prevent fanatic clickers from hitting the trap -- http -> hxxp

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19933
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby Moonchild » Tue Sep 05, 2017 6:10 pm

Unfortunately evil trap sites like this abuse normal browser actions (in this case looping a basic http auth request). This is generated by the server you are directed to. Pressing cancel would normally return an "authentication failed" page, but the people who set up this site clearly abuse custom error pages to have you be redirected right back to the page you were on, repeating the process.

You can safely force-close the browser to get out of this mess.
If you close the browser forcefully, it will generally restart one time with the same windows and tabs automatically and will reload everything (unfortunately including the page that trapped you). If you force close it a second time when this happens, it will give you a session restore window where you can uncheck the "windows alert" tab so it will not be restored.

What you should do is contact the abuse department for 138.197.4.141 and inform them of this issue and that it is being abused to try and phish for people's credentials with fake scare tactics.

According to whois, this is abuse@digitalocean.com (a commonly abused virtual server provider). Provide them with the exact information you've given in this thread.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

User avatar
magic
New to the forum
New to the forum
Posts: 2
Joined: Tue Sep 05, 2017 3:29 pm

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby magic » Tue Sep 05, 2017 6:49 pm

If you're quick enough, you can close the tab with CTRL+W right after dismissing the authentication request by clicking on Cancel.

seahorse41
Newbie
Newbie
Posts: 3
Joined: Wed Aug 02, 2017 6:35 pm

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby seahorse41 » Thu Sep 07, 2017 8:58 pm

So it seems modifying history is part of HTML5, and calling history.pushState(0,0,uglyLongString) (and extending uglyLongString every loop for a hundred million times) is not a security flaw, I guess I'll drop it as a non issue.

Last idea then, there should be some means of killing a tab that has that authentication window up, just to make this a non-issue for the future.

josephd
Moonbather
Moonbather
Posts: 71
Joined: Tue Sep 09, 2014 12:15 pm
Location: Tennessee

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby josephd » Thu Sep 07, 2017 10:11 pm

May want to watch what you download. I found the following which may help.

In case your web browser is permanently getting redirected to the secure.calch.gdn domain, then it is quite likely that you have an adware application installed on your computer.


http://www.deletevirus.net/secure-calch ... us-remove/

stevepusser
Lunatic
Lunatic
Posts: 256
Joined: Sat Aug 01, 2015 6:33 pm
Location: California

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby stevepusser » Fri Sep 08, 2017 2:45 am

josephd wrote:May want to watch what you download. I found the following which may help.

In case your web browser is permanently getting redirected to the secure.calch.gdn domain, then it is quite likely that you have an adware application installed on your computer.


http://www.deletevirus.net/secure-calch ... us-remove/


That''s not impossible in Linux, but much, much more rare than in a certain other OS.

RJARRRPCGP
Moon lover
Moon lover
Posts: 97
Joined: Mon Jun 22, 2015 7:48 pm
Location: USA (Bellows Falls, Vermont)

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby RJARRRPCGP » Thu Sep 14, 2017 10:27 pm

Looks like typical malvertising.

Or you clicked on a fake download button... Whoever came up with those download buttons, deserves to be executed!!

doffen
Moongazer
Moongazer
Posts: 14
Joined: Thu Apr 20, 2017 12:21 pm

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby doffen » Sat Sep 23, 2017 2:01 am

I have downloaded hosts.zip from this site: http://winhelp2002.mvps.org/hosts.htm
Right-click and choose Open archive. Select the file HOSTS and readme.txt, and Extract. (the other stuff is windoze)
Copy the top lines from your old /etc/hosts, and add them to HOSTS, it is vital that the first uncommented line contains: 127.0.0.1 localhost (mine reads 127.0.0.1 localhost puppypc)
Rename /etc/hosts to /etc/old-hosts. (tiny file, leave it there, bothers nobody)
Right-click HOSTS and save-as /etc/hosts.
You have now blocked almost 15000 addresses from unloading their stuff in your browser.
Not perfect, but it feels good! :D

User avatar
Thehandyman1957
Board Warrior
Board Warrior
Posts: 1143
Joined: Tue May 19, 2015 2:26 am
Location: Arizona U.S.

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby Thehandyman1957 » Sat Sep 23, 2017 2:50 am

doffen wrote:I have downloaded hosts.zip from this site: http://winhelp2002.mvps.org/hosts.htm
Right-click and choose Open archive. Select the file HOSTS and readme.txt, and Extract. (the other stuff is windoze)
Copy the top lines from your old /etc/hosts, and add them to HOSTS, it is vital that the first uncommented line contains: 127.0.0.1 localhost (mine reads 127.0.0.1 localhost puppypc)
Rename /etc/hosts to /etc/old-hosts. (tiny file, leave it there, bothers nobody)
Right-click HOSTS and save-as /etc/hosts.
You have now blocked almost 15000 addresses from unloading their stuff in your browser.
Not perfect, but it feels good! :D


You know you can do the same thing with Ublock too right? :problem:
Screenshot - 9_22_2017 , 7_50_03 PM.png
“Life can only be understood backwards; but it must be lived forwards.”
― Søren Kierkegaard

User avatar
adesh
Lunatic
Lunatic
Posts: 323
Joined: Tue Jun 06, 2017 7:38 am

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby adesh » Sat Sep 23, 2017 7:15 am

Yes, that's a good solution for a single browser. But blocking domains with /etc/hosts trick affects applications system-wide.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 19933
Joined: Sun Aug 28, 2011 5:27 pm
Location: 58.5°N 15.5°E
Contact:

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby Moonchild » Sat Sep 23, 2017 7:40 am

An important side note is that using an excessively large hosts file WILL slow down all your network traffic. It's not designed to be used as a blocklist, and looking through the hosts file domain list every time a DNS lookup is made makes the DNS lookup client in Windows very slow when thousands of entries are present.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

User avatar
satrow
Forum staff
Forum staff
Posts: 1492
Joined: Thu Sep 08, 2011 11:27 am

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby satrow » Sat Sep 23, 2017 9:49 am

Moonchild wrote:An important side note is that using an excessively large hosts file WILL slow down all your network traffic. It's not designed to be used as a blocklist, and looking through the hosts file domain list every time a DNS lookup is made makes the DNS lookup client in Windows very slow when thousands of entries are present.


That can be ameliorated by disabling the DNS Client Service (or if your network requires the use of the DNS Client Service, by using one of the workarounds listed from about halfway down):

Windows DNS Client Service

In most cases the DNS Client Service is not needed, it is recommended to turn it off. These instructions are intended for a single (home-user) PC. If your machine is part of a "Domain", check with your IT Dept. before applying this work-around. This especially applies to Laptop users who travel or bring their work machines home. Make sure to reset the Service (if needed) prior to connecting (reboot required) to your work Domain ...

To resolve this issue (manually) open the "Services Editor"

Start | Run (type) "services.msc" (no quotes)
Win8 users - Control Panel > Administrative Tools > Services
Scroll down to "DNS Client", Right-click and select: Properties - click Stop
Click the drop-down arrow for "Startup type"
Select: Manual (recommended) or Disabled click Apply/Ok and restart.

Hostsman or Hosts File Editor includes an option to turn off the DNS Service

When set to Manual you can see that the above "Service" is not needed (after a little browsing - when set to Manual) by opening the Services Editor again, scroll down to DNS Client and check the "Status" column. It should be blank, if it was needed it would show "Started" in that column. There are several Utilities that can reset the DNS Client for you ... [more info]



Important! If you are using Network Discovery then the DNS Client service is required and should not be set to either Manual or Disabled.

Workaround for using the MVPS HOSTS file and leaving the DNS Client service enabled (set to: Automatic)

If you find after a period of time that your browser seems sluggish with the DNS Client service enabled you can manually flush the DNS cache
Close all browser windows ... open a "Command Prompt" from the Start Menu > All Programs > Accessories > Command Prompt
Win8 users - Charms Bar > Search > (type) command prompt > Select: Command Prompt (left pane) Ok the UAC prompt
(type) ipconfig /flushdns (press Enter) Then close the Command Prompt ...

A better Win10/8/7/Vista/ workaround would be to add two Registry entries to control the amount of time the DNS cache is saved. (KB318803)

Flush the existing DNS cache (see above)
Start > Run (type) regedit
Win8 users - from the Charms Bar, select: Search (type) run and select Run (left pane) and (type) "regedit" (no quotes)
Navigate to the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
Click Edit > New > DWORD Value (type) MaxCacheTtl
Click Edit > New > DWORD Value (type) MaxNegativeCacheTtl
Next right-click on the MaxCacheTtl entry (right pane) and select: Modify and change the value to 1
The MaxNegativeCacheTtl entry should already have a value of 0 (leave it that way - see screenshot)
Close Regedit and reboot ...
As usual you should always backup your Registry before editing ... see Regedit Help under "Exporting Registry files"

From http://winhelp2002.mvps.org/hosts.htm

I use HostsMan to control both the hosts + lists updating and the DNS Client, trying to split the load with the browser; hosts blocking against mostly malicious sites and servers and protecting Windows and software connections, with uBlockO (updated by uBlock Origin Updater) mostly dealing with the advertising and browser annoyances - though there is a huge amount of overlap dependent on which lists are in use.

doffen
Moongazer
Moongazer
Posts: 14
Joined: Thu Apr 20, 2017 12:21 pm

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby doffen » Wed Sep 27, 2017 3:42 am

I feel a bit stupid here: :oops: I forgot to tell you that I use the Windoze hosts list in /etc/hosts in my Puppylinux Lucid 5.2.8.7, and I have not noticed any slowdown. I have modified my about:config a lot, so I may have prevented a slow down by eliminating some functions. I don't use bookmarks or history, and I delete all cookies and everything that can be deleted, on closing PaleMoon. I usually close PaleMoon between topics. And, no, I am not paranoid! :D

And Thehandyman1957, thank you for the uBlock tip!
(well: This add-on is not compatible with your version of Firefox.)
Just joking, I see they have a PaleMoon recommendtion.
The size of my /etc/hosts file is now 488K, and I see that hpHosts file is BIG: hosts.zip (5.08MB) Why? That is a serious increase in size!

doffen
Last edited by doffen on Wed Sep 27, 2017 4:32 am, edited 1 time in total.

User avatar
Nigaikaze
Astronaut
Astronaut
Posts: 585
Joined: Sun Feb 02, 2014 10:15 pm
Location: Chicago, IL, USA

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby Nigaikaze » Wed Sep 27, 2017 4:17 am

doffen wrote:And Thehandyman1957, thank you for the uBlock tip!
(well: This add-on is not compatible with your version of Firefox.)

You can download/install the firefox.xpi version of uBlock Origin from here ...

https://github.com/gorhill/uBlock/releases/tag/1.14.10

... and then also install this extension to keep uBlock Origin up to date:

https://addons.palemoon.org/addon/ublock0-updater/

doffen
Moongazer
Moongazer
Posts: 14
Joined: Thu Apr 20, 2017 12:21 pm

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby doffen » Wed Sep 27, 2017 4:34 am

I'll think about it!

BTW, I added some line to my previous post while you made your post.
Oh, and the hpHosts file is 26MB unpacked, with some 766000 entries. I think I'l stay with my 488K file! Last week, the file had only 4 entries, now there are 15000... :D

doffen

Walter Dnes
Lunatic
Lunatic
Posts: 346
Joined: Thu Jul 30, 2015 8:29 pm
Location: Vaughan, ON, Canada

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby Walter Dnes » Wed Sep 27, 2017 10:10 pm

The problem with the universal hosts files is that they attempt to cover every ad site that everybody has ever hit anywhere on the planet. Hence the huge numbers. I have a different strategy. I go after just the ad sites that I actually get, like so...
  • Shut down Pale Moon and any other network-connecting program
  • Wait several minutes for the TCP connections to age out
  • Open up Pale Moon at a web forum that I often visit
  • Open a new tab in the same window
  • Go to about:networking in the new tab
You'll get a list of all open network connections. When you copy them to hosts, make sure that you don't block the main website itself. I have under 200 ad sites listed, and it really knocks down the load on my machine. I've got a 2008 Dell with an Intel Core2 Duo with 3 gigs of ram that I'm trying to run into the ground. It's reasonably fast.

There was one Wordpress site I often visit that would, at times, grind the Pale Moon to a halt. "top" would show from 135% to 150% cpu load; OUCH! Slashdot was another painful site. With less than 200 sites blocked. I can get away with having 4 or 5 websites open SIMULTANEOUSLY IN SEPARATE INSTANCES OF PALE MOON and the computer and Pale Moon are responsive. The ad sites that you run across will be different than the ad sites that I run across, so our lists will differ.

User avatar
satrow
Forum staff
Forum staff
Posts: 1492
Joined: Thu Sep 08, 2011 11:27 am

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby satrow » Wed Sep 27, 2017 10:48 pm

You don't have to use generic hosts files, you can select specific block lists to suit your needs and usage; maybe malware, exploit and hijack sites in your hosts file to protect all your connections, with ad/tracking, misleading marketing and PUPs in your adblocking lists inside your browser(s).

http://hosts-file.net/?s=Download

Note: If you are using programs such as HostsMan, APK, uMatrix, AdBlock Plus, uBlock Origin, please consider switching from the hosts.txt file, to the individual classification files. These are both smaller, and more importantly, updated far more frequently (daily as opposed to monthly for hosts.txt). You can find the list of classification files on the hpHosts downloads page under "Individual Classifications".


Se also the list options available in uBlockO, which can also be used in a hosts file or other blocking file/add-on.

Walter Dnes
Lunatic
Lunatic
Posts: 346
Joined: Thu Jul 30, 2015 8:29 pm
Location: Vaughan, ON, Canada

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby Walter Dnes » Thu Sep 28, 2017 2:18 am

Here's an idea I've been kicking around for filtering. Rather than filtering by host name, howsabout filtering by IP address range? I assume that sites like doubleclick deliberately fiddle around with adserver names, e.g. a.doubleclick.net, b.doubleclick.net, c.doubleclick.net, abc.doubleclick.net, etc. etc. And they probably randomly rotate and rename their adservers via an automated script. This is deliberately done to get past hostfile-based blocking.

I was thinking of setting up IP-address-range blocklists. No amount of screwing around with subdomain names, or even the main domain name, will get past that. Also, you'll only need one range/CIDR entry to cover what is is now umpteen adserver names. Given the scarcity of IPV4 addresses, jumping around to different address ranges is more difficult. I had originally envisioned this as a set of iptables rules, i.e. linux-specific. But on second thought, Windows users could benefit too. Is there a way to import a list of IPV4 ranges, or CIDRs, into the Windows firewall?

User avatar
adesh
Lunatic
Lunatic
Posts: 323
Joined: Tue Jun 06, 2017 7:38 am

Re: advertisement acts like virus, how to fix and prevent security bug?

Postby adesh » Thu Sep 28, 2017 8:17 am

Walter Dnes wrote:Rather than filtering by host name, howsabout filtering by IP address range? I assume that sites like doubleclick deliberately fiddle around with adserver names, e.g. a.doubleclick.net, b.doubleclick.net, c.doubleclick.net, abc.doubleclick.net, etc. etc. And they probably randomly rotate and rename their adservers via an automated script. This is deliberately done to get past hostfile-based blocking.

Instead of that, it would be better to quickly disable hostnames based on wildcard matching using dnsmasq. But then you may argue that it requires running an extra process? ;)


Return to “Pale Moon for Linux”

Who is online

Users browsing this forum: No registered users and 5 guests