.rekt module defaults send users to malware websites

[astrutt]

the default rekt.txt is pushing users to websites that attempt to install browser malware:

http://adrak.gq/5563-2-new/c/your-computer-is-locked-call-us-at-tollfreenow--1-877-506-5563-your-computer-is-locked-call-us-at-tollfreenow--1-877-506-5563/

Example URL.

[astrutt]

[13:33:49] handler, ☑ www.rekkit.com [13:34:40] that first link looks shady as F [13:34:49] it wanted to install a plugin in chrome [13:35:19] I just got a spam for malicious spyware [13:35:24] pop up [13:35:41] http://adrak.gq/5563-2-new/c/your-computer-is-locked-call-us-at-tollfreenow--1-877-506-5563-your-computer-is-locked-call-us-at-tollfreenow--1-877-506-5563/ [13:35:48] that module is malicious.

[astrutt]

[13:43:19] oh wow, indeed the Cash4Rekt.com directs you to some other malicious site as well

[daboross]

This is my bad, I didn't think to check the links at all. Would adding some zero-width spaces in them to stop IRC clients from processing them as links be an acceptable solution?

I mean I should probably just remove all rekt lines which include links at all, as people may try to follow them anyways (even though the message should just be what the url is, not like a website I mean).

[astrutt]

Absolutely not.

The correct fix is to remove the plugin entirely, as it’s intended to be malicious. Or remove entirely the lines that are malicious in rekt.txt

I’m considering reporting this bot and module to us-cert.gov and others.

Vr,

Andrew

From: David Ross notifications@github.com Reply-To: CloudBotIRC/CloudBot reply@reply.github.com Date: Wednesday, May 31, 2017 at 2:19 PM To: CloudBotIRC/CloudBot CloudBot@noreply.github.com Cc: Andrew Strutt andrew.strutt@gmail.com, Author author@noreply.github.com Subject: Re: [CloudBotIRC/CloudBot] .rekt module defaults send users to malware websites (#271)

This is my bad, I didn't think to check the links at all. Would adding some non-breaking spaces in them to stop IRC clients from processing them as links be an acceptable solution?

I mean I should probably just remove all rekt lines which include links at all, even though the message isn't like a url, but just the url name.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/CloudBotIRC/CloudBot","title":"CloudBotIRC/CloudBot","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/CloudBotIRC/CloudBot"}},"updates":{"snippets":[{"icon":"PERSON","message":"@daboross in #271: This is my bad, I didn't think to check the links at all. Would adding some non-breaking spaces in them to stop IRC clients from processing them as links be an acceptable solution?\r\n\r\nI mean I should probably just remove all rekt lines which include links at all, even though the message isn't like a url, but just the url name."}],"action":{"name":"View Issue","url":"https://github.com/CloudBotIRC/CloudBot/issues/271#issuecomment-305273293"}}}

[daboross]

OK. I know the author of this plugin, and I'm sure it was not intended maliciously, only as a misunderstanding that these links would be clickable. I'll definitely remove the lines.

[daboross]

(a misunderstanding, or just not at all considering the destination of these links).

Removed as of https://github.com/CloudBotIRC/CloudBot/commit/9f5130a8bff543fc8c009757749e5dd3131bb2c5.