advertisement acts like virus, how to fix and prevent security bug? Topic is solved

[seahorse41]

A page's usual javascript advertisement opened a new tab, but this time what it loaded acted like a virus. What is the correct way to undo it, and how to prevent this from happening?
Since I took screenshots, I have Detail:
The new tab first shows a url of hxxp://secure.calch.gdn/performance/bdv_rd.dbm?enparms2=

followed by a lot of comma delimited numbers that goes off the right side.
The popup says:

Authentication Required
A username and password are being requested by hxxp://138.197.4.141. The site says: "Internet Security Alert: Your Computer Might be Infected by Harmful VirusesnCall Windows Technical Support: (Toll Free) (866) 564-0233 (Toll Free)"

/end popup message.
If I press Cancel, it proceeds to load a page. If I press X to close the app, it ignores me. The only way to stop it was to kill it from a terminal.

Next it opens a page that plays an audio file that thankfully isn't with an indian accent like I get on the telephone, but the sales pitch is familiar. I think the fraudsters are expanding their reach... but back to the facts:

The page it loads is url: hxxp://138.197.4.141/as/?c59aedd2db77fa0ftfn1d59aedd2db783e=(866) 564-0233

including that parenthesis and space not auto-included in the A href tag. and again the popup with the Authentication Required title.
My concern is next the popup, is it a safety stop by the browser, or since cancel PROCEEDED to this second page, is is actually being generated by the page, and is a fraudulent deception?

After killing the browser, and restarting it, the 2nd page auto-reloads, but I don't want this!! It again has the popup, and does not allow me to click anywhere else.
I need to find the command line way to start in safe mode, since the help provided so far by google search requires a setting while the browser is open, which is not an option in this case.

Is this a security hole? Please investigate and advise.

edit: I found the -safe-mode option, so I answered that question myself.
Version is:
Debian 8 Linux , palemoon package 27.4.2~repack-1

[Moonchild]

Unfortunately evil trap sites like this abuse normal browser actions (in this case looping a basic http auth request). This is generated by the server you are directed to. Pressing cancel would normally return an "authentication failed" page, but the people who set up this site clearly abuse custom error pages to have you be redirected right back to the page you were on, repeating the process.

You can safely force-close the browser to get out of this mess.
If you close the browser forcefully, it will generally restart one time with the same windows and tabs automatically and will reload everything (unfortunately including the page that trapped you). If you force close it a second time when this happens, it will give you a session restore window where you can uncheck the "windows alert" tab so it will not be restored.

What you should do is contact the abuse department for 138.197.4.141 and inform them of this issue and that it is being abused to try and phish for people's credentials with fake scare tactics.

According to whois, this is abuse@digitalocean.com (a commonly abused virtual server provider). Provide them with the exact information you've given in this thread.

[magic]

If you're quick enough, you can close the tab with CTRL+W right after dismissing the authentication request by clicking on Cancel.

[seahorse41]

So it seems modifying history is part of HTML5, and calling history.pushState(0,0,uglyLongString) (and extending uglyLongString every loop for a hundred million times) is not a security flaw, I guess I'll drop it as a non issue.

Last idea then, there should be some means of killing a tab that has that authentication window up, just to make this a non-issue for the future.

[josephd]

May want to watch what you download. I found the following which may help.

In case your web browser is permanently getting redirected to the secure.calch.gdn domain, then it is quite likely that you have an adware application installed on your computer.

http://www.deletevirus.net/secure-calch ... us-remove/

[stevenpusser]

May want to watch what you download. I found the following which may help.

In case your web browser is permanently getting redirected to the secure.calch.gdn domain, then it is quite likely that you have an adware application installed on your computer.

http://www.deletevirus.net/secure-calch ... us-remove/

That''s not impossible in Linux, but much, much more rare than in a certain other OS.

[RJARRRPCGP]

Looks like typical malvertising.

Or you clicked on a fake download button... Whoever came up with those download buttons, deserves to be executed!!

[doffen]

I have downloaded hosts.zip from this site: http://winhelp2002.mvps.org/hosts.htm
Right-click and choose Open archive. Select the file HOSTS and readme.txt, and Extract. (the other stuff is windoze)
Copy the top lines from your old /etc/hosts, and add them to HOSTS, it is vital that the first uncommented line contains: 127.0.0.1 localhost (mine reads 127.0.0.1 localhost puppypc)
Rename /etc/hosts to /etc/old-hosts. (tiny file, leave it there, bothers nobody)
Right-click HOSTS and save-as /etc/hosts.
You have now blocked almost 15000 addresses from unloading their stuff in your browser.
Not perfect, but it feels good!

[Thehandyman1957]

I have downloaded hosts.zip from this site: http://winhelp2002.mvps.org/hosts.htm
Right-click and choose Open archive. Select the file HOSTS and readme.txt, and Extract. (the other stuff is windoze)
Copy the top lines from your old /etc/hosts, and add them to HOSTS, it is vital that the first uncommented line contains: 127.0.0.1 localhost (mine reads 127.0.0.1 localhost puppypc)
Rename /etc/hosts to /etc/old-hosts. (tiny file, leave it there, bothers nobody)
Right-click HOSTS and save-as /etc/hosts.
You have now blocked almost 15000 addresses from unloading their stuff in your browser.
Not perfect, but it feels good!

You know you can do the same thing with Ublock too right?

[adesh]

Yes, that's a good solution for a single browser. But blocking domains with /etc/hosts trick affects applications system-wide.

[Moonchild]

An important side note is that using an excessively large hosts file WILL slow down all your network traffic. It's not designed to be used as a blocklist, and looking through the hosts file domain list every time a DNS lookup is made makes the DNS lookup client in Windows very slow when thousands of entries are present.

[satrow]

An important side note is that using an excessively large hosts file WILL slow down all your network traffic. It's not designed to be used as a blocklist, and looking through the hosts file domain list every time a DNS lookup is made makes the DNS lookup client in Windows very slow when thousands of entries are present.

That can be ameliorated by disabling the DNS Client Service (or if your network requires the use of the DNS Client Service, by using one of the workarounds listed from about halfway down):

Windows DNS Client Service

In most cases the DNS Client Service is not needed, it is recommended to turn it off. These instructions are intended for a single (home-user) PC. If your machine is part of a "Domain", check with your IT Dept. before applying this work-around. This especially applies to Laptop users who travel or bring their work machines home. Make sure to reset the Service (if needed) prior to connecting (reboot required) to your work Domain ...

To resolve this issue (manually) open the "Services Editor"

Start | Run (type) "services.msc" (no quotes)
Win8 users - Control Panel > Administrative Tools > Services
Scroll down to "DNS Client", Right-click and select: Properties - click Stop
Click the drop-down arrow for "Startup type"
Select: Manual (recommended) or Disabled click Apply/Ok and restart.

Hostsman or Hosts File Editor includes an option to turn off the DNS Service

When set to Manual you can see that the above "Service" is not needed (after a little browsing - when set to Manual) by opening the Services Editor again, scroll down to DNS Client and check the "Status" column. It should be blank, if it was needed it would show "Started" in that column. There are several Utilities that can reset the DNS Client for you ... [more info]



Important! If you are using Network Discovery then the DNS Client service is required and should not be set to either Manual or Disabled.

Workaround for using the MVPS HOSTS file and leaving the DNS Client service enabled (set to: Automatic)

If you find after a period of time that your browser seems sluggish with the DNS Client service enabled you can manually flush the DNS cache
Close all browser windows ... open a "Command Prompt" from the Start Menu > All Programs > Accessories > Command Prompt
Win8 users - Charms Bar > Search > (type) command prompt > Select: Command Prompt (left pane) Ok the UAC prompt
(type) ipconfig /flushdns (press Enter) Then close the Command Prompt ...

A better Win10/8/7/Vista/ workaround would be to add two Registry entries to control the amount of time the DNS cache is saved. (KB318803)

Flush the existing DNS cache (see above)
Start > Run (type) regedit
Win8 users - from the Charms Bar, select: Search (type) run and select Run (left pane) and (type) "regedit" (no quotes)
Navigate to the following location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
Click Edit > New > DWORD Value (type) MaxCacheTtl
Click Edit > New > DWORD Value (type) MaxNegativeCacheTtl
Next right-click on the MaxCacheTtl entry (right pane) and select: Modify and change the value to 1
The MaxNegativeCacheTtl entry should already have a value of 0 (leave it that way - see screenshot)
Close Regedit and reboot ...
As usual you should always backup your Registry before editing ... see Regedit Help under "Exporting Registry files"

From http://winhelp2002.mvps.org/hosts.htm

I use HostsMan to control both the hosts + lists updating and the DNS Client, trying to split the load with the browser; hosts blocking against mostly malicious sites and servers and protecting Windows and software connections, with uBlockO (updated by uBlock Origin Updater) mostly dealing with the advertising and browser annoyances - though there is a huge amount of overlap dependent on which lists are in use.

[doffen]

I feel a bit stupid here: I forgot to tell you that I use the Windoze hosts list in /etc/hosts in my Puppylinux Lucid 5.2.8.7, and I have not noticed any slowdown. I have modified my about:config a lot, so I may have prevented a slow down by eliminating some functions. I don't use bookmarks or history, and I delete all cookies and everything that can be deleted, on closing PaleMoon. I usually close PaleMoon between topics. And, no, I am not paranoid!

And Thehandyman1957, thank you for the uBlock tip!
(well: This add-on is not compatible with your version of Firefox.)
Just joking, I see they have a PaleMoon recommendtion.
The size of my /etc/hosts file is now 488K, and I see that hpHosts file is BIG: hosts.zip (5.08MB) Why? That is a serious increase in size!

doffen

[Nigaikaze]

And Thehandyman1957, thank you for the uBlock tip!
(well: This add-on is not compatible with your version of Firefox.)

You can download/install the firefox.xpi version of uBlock Origin from here ...

https://github.com/gorhill/uBlock/releases/tag/1.14.10

... and then also install this extension to keep uBlock Origin up to date:

https://addons.palemoon.org/addon/ublock0-updater/

[doffen]

I'll think about it!

BTW, I added some line to my previous post while you made your post.
Oh, and the hpHosts file is 26MB unpacked, with some 766000 entries. I think I'l stay with my 488K file! Last week, the file had only 4 entries, now there are 15000...

doffen

[Walter Dnes]

The problem with the universal hosts files is that they attempt to cover every ad site that everybody has ever hit anywhere on the planet. Hence the huge numbers. I have a different strategy. I go after just the ad sites that I actually get, like so...

• Shut down Pale Moon and any other network-connecting program
• Wait several minutes for the TCP connections to age out
• Open up Pale Moon at a web forum that I often visit
• Open a new tab in the same window
• Go to about:networking in the new tab

You'll get a list of all open network connections. When you copy them to hosts, make sure that you don't block the main website itself. I have under 200 ad sites listed, and it really knocks down the load on my machine. I've got a 2008 Dell with an Intel Core2 Duo with 3 gigs of ram that I'm trying to run into the ground. It's reasonably fast.

There was one Wordpress site I often visit that would, at times, grind the Pale Moon to a halt. "top" would show from 135% to 150% cpu load; OUCH! Slashdot was another painful site. With less than 200 sites blocked. I can get away with having 4 or 5 websites open SIMULTANEOUSLY IN SEPARATE INSTANCES OF PALE MOON and the computer and Pale Moon are responsive. The ad sites that you run across will be different than the ad sites that I run across, so our lists will differ.

[satrow]

You don't have to use generic hosts files, you can select specific block lists to suit your needs and usage; maybe malware, exploit and hijack sites in your hosts file to protect all your connections, with ad/tracking, misleading marketing and PUPs in your adblocking lists inside your browser(s).

http://hosts-file.net/?s=Download

Note: If you are using programs such as HostsMan, APK, uMatrix, AdBlock Plus, uBlock Origin, please consider switching from the hosts.txt file, to the individual classification files. These are both smaller, and more importantly, updated far more frequently (daily as opposed to monthly for hosts.txt). You can find the list of classification files on the hpHosts downloads page under "Individual Classifications".

Se also the list options available in uBlockO, which can also be used in a hosts file or other blocking file/add-on.

[Walter Dnes]

Here's an idea I've been kicking around for filtering. Rather than filtering by host name, howsabout filtering by IP address range? I assume that sites like doubleclick deliberately fiddle around with adserver names, e.g. a.doubleclick.net, b.doubleclick.net, c.doubleclick.net, abc.doubleclick.net, etc. etc. And they probably randomly rotate and rename their adservers via an automated script. This is deliberately done to get past hostfile-based blocking.

I was thinking of setting up IP-address-range blocklists. No amount of screwing around with subdomain names, or even the main domain name, will get past that. Also, you'll only need one range/CIDR entry to cover what is is now umpteen adserver names. Given the scarcity of IPV4 addresses, jumping around to different address ranges is more difficult. I had originally envisioned this as a set of iptables rules, i.e. linux-specific. But on second thought, Windows users could benefit too. Is there a way to import a list of IPV4 ranges, or CIDRs, into the Windows firewall?

[adesh]

Rather than filtering by host name, howsabout filtering by IP address range? I assume that sites like doubleclick deliberately fiddle around with adserver names, e.g. a.doubleclick.net, b.doubleclick.net, c.doubleclick.net, abc.doubleclick.net, etc. etc. And they probably randomly rotate and rename their adservers via an automated script. This is deliberately done to get past hostfile-based blocking.

Instead of that, it would be better to quickly disable hostnames based on wildcard matching using dnsmasq. But then you may argue that it requires running an extra process?