Monday, January 19, 2015

Bring back the Death Penalty for people who code Browser Hijacks and web popups.


This is what we should do to any web developer that spends one millisecond of their time coding web/blog/browser hijack code. I would add a sign under each body saying "I wrote the Media Player Update" popup, or "I wrote the "Possible Privacy Breach" popup, or I wrote the "Talk to a technician in Czechoslovakia" popup. Life imprisonment would be treating them too good. Bring back the Death penalty....

Who's with me? Grab your torch and pitchfork!






Friday, January 16, 2015

The luggage incident...

Last Sunday my wife was away all day Scrap-Booking. My youngest had a play date and later that afternoon, when the other parent came by to pick up their kid, my daughter asks:

"Where's Mom?"
"She's scrapbooking." I said.
"Then why did she have luggage with her?" She asks...
(This is in front of the picking up parent)
"That's not luggage, those are scrapbooking totes, they look like luggage." I explain.
"I know what the other things are, she had luggage!" She insisted.
(The other parent is looking around wondering how quick he can pick up his kid and get out of there)
"They're totes, don't worry about it, say good bye to your Freind.." I say.

They leave and I think, wow, he must think we're getting a divorce (grin).... That's funny, I'll have to tell Julie..

Later on in the week, I see the other parent while we were picking up the kids after school and he looks at me and gives me that thumbs up "Is everything ok?" look but I didn't remember the Sunday thing and had no idea why he was looking at me like that so I gave him a weird look and he kinda nodded at me knowingly.. Dammit, he thinks I have marital problems (grin)..

So today I run into him and he kinda looks away as we pass in the hall (doesn't want to make me feel bad(grin) and it hits me..

Last Saturday night my wife came home with new luggage she had just bought as a gift. It was her best Freind's birthday and she was also booked to go down south and the luggage was a birthday present my wife was going to give her at the scrapbook thing. I helped her figure out how to get into the TSA locking mechanism that night and totally forgot about it. SHE DID HAVE LUGGAGE!

So my kid had it right all along. Now how do I go about explaining this to my kid's freind's parents so  they'll let her come over on future play dates(grin)...

No one wants their kid over at someone's house in the midst of a messy separation.. Oh well.. Let the rumour mill fly.. Damned luggage..

Tuesday, January 13, 2015

Blogspot www.adcash.com Hijack/Redirect www.freecounterstat.com sucks!

Thought I'd make a post since I was unable to find key words to point me to a quick fix to the problem and had to fix it myself the hard way. A few weeks ago my wife mentioned that visitors to her blogspot/blogger blog had contacted her mentioning that they were getting served random popups to a variety of crap sites. Some sites wanted to install viewer software, others just wanted to sell you crap, make you watch videos. Make you clickity click everywhere.. etc..

It would only do it once per visit per day, which meant when it happened and she told me about it, I asked her to repeat the steps to recreate the behavior and it would not do it again. How annoying is that? I'm used to Personal Computers and servers behaving in my presence because they are deathly afraid of me (as they should be) and flaking out when I leave the room but eventually I actually saw it happen with my own eyes.

Whatever it was wrote a local cookie, same name as the blog itself and deleting/blocking access to these would make the redirect fire each and every time Which made it easier to troubleshoot.

The sites were a multitude random crappy click generators. It was all starting with the site www.adcash.com. It would go here to find the random re-direct of the day:


offer.alibaba.com
lp.freegameszonetab.com
www.roblox.com
lp.bigfarm.goodgamestudios.com
www.binaryoptionsbrands.com
binaryoptionsbrands.com







So many of which it became impossible to research the problem from the back-end, like, "Hey I get re-directed once a day to this site (and this one the next day, and this one, and this one..) so you can't look up any info that way, it's a buckshot of annoying websites and the info is safe in the forest of keyword website crap. Any hits that did come up also only pointed to PC malware cleanups which was not the issue in this case. All the PC's at home are pretty well-protected with MS Security Essentials, Spybot Search and Destroy, etc.. This was a problem with the Blog itself. Had it been hacked? How was that possible? Can clicking on a bad popup while logged into your Google account (which we always are) write malicious code? Unlikely. That's a lot of clicks and not easily scrip-table.

I looked through the Blog template (3000 lines) and found an odd entry in an unimportant place in the layout. It was a 200 character nonsense string with a "Base64" function in front of it. This is handy for turning cleartext into gobbledygook when trying to hide stuff from people. You have some nasty commands you want to hide, you convert the string to base64 and tell the template to decode it on the fly. I popped it into a BASE64 decoder and saw cleartext and that it was calling some binary code. Out it came.

Didn't fix it. Not sure what is was. Next.. Time to get out Wire Shark and start looking at packets or process monitor and look for the needle in the haystack.. But wait!

Turns out the site I found the BASE64 decoder on was chocked full of info. It was http://aw-snap.info/articles/redirects.php. Not only did it go over the BASE64 thing but a host of other nasty tricks. They had a Blogger Tool you could plug your blogspot blog into and it would check it (tried it but no luck).

In fact there was not a lot of issues on the Blogspot/Blogger front apart from some kuno​ichi gadget issues. I figured removing javascript blocks one at a time was a good shortcut to try, so in a fit of brute force and ignorance I backed up the Blog template again, documented the layout and started removing HTML Javascript widgets. Damned if it wasn't the second one causing all the fuss. It was a visit counter from www.freecounterstat.com (counter2.statcounterfree.com to be exact) and this was the thing writing the cookies and calling the ajax random malware page popup generator.

This is a free 3rd party visitor counter java script that my wife found somewhere that looked pretty and she put it on her blog where it counted away for years until a few weeks ago. 

Brute force and ignorance. It was only after I found out it was the culprit and researching www.freecounterstat.com that I stumbled across that website keyword in this article that described the same issue we were having. Crazy thing about that story is that the author contacted the makers of the script and they replied back with "

Hi,
I turn off popup on your account
chris
GREAT! Thanks Chris.. Were they hacked or is this something they randomly turn on for sets of clients to generate click revenue for their free tool? I vote for the latter. 

Don't use scripts from www.freecounterstat.com. Malware sucks. 

Along the way I learned about Scriptsafe, a google chrome extension that stops scripts from running on web pages you can set to trust or distrusted. Worth checking out...