I FOUND THE BOT!
WOW! Was I ever off base with this one! Now, what I want to know is what the heck is going on???
I commented to a reader about doing a netstat -an from the command prompt and decided to take my own advice. Here’s what I found in my netstat.
My Netstat -an results
Closed is good. Not connected.
But wait, something is not sitting right with me. The port. The port is a secured port! 443 is a secured port!
The plot thickens!
I look this port up on GRC Port Authority and discover this:
SSL
The “s” in “https” stands for “secure”: Hyper Text Transfer Protocol, Secure. You may encounter other s-suffix protocols such as ftps or smtps. These, similarly, refer to secured-transport versions of the base protocol.
In the case of https, whereas the default port used for standard non-secured “http” is port 80, Netscape chose 443 to be the default port used by secure http. (They chose port 443 because it was not being used for any other purpose at the time.)
So now I’m really confused. How can this be? A botnet that is authenticated over SSL?? This is not right.
I go back to the Whois query and this time I check the box next to Reverse Domain Lookup. I should’ve done this the first time – darn it!
(Click to view larger image)
Now look who this is! WTF???
TrendMicro????
Okay, so now we know that IP is benign, but this begs the question, what the H*LL is going with Trend that the bot alert is going off on web sites and why???
Trend, would you please respond??? What in the heck is going on??
I didn’t apply for a job with you so this can’t be a test. So what the heck is up??
Are you setting off your own alert when you try to scan a website? Is this some kind of glitch in your software? What?
Tags: adsense, bot, botnet, botnet detection, bots, doubleclick, google, malware, pc security, penetration testing, right media, rubotted, Security, spybot search and destroy, trend, trendmicro
November 22nd, 2008 at 4:29 pm
heh Just posted something along these lines myself. Just shorter, less thorough and much less eloquently than yourself. Thanks for the efforts you’ve put into this!
Reply
Admin reply on November 22nd, 2008 6:21 pm:
@Ray, I should have checked that box before this. I wasted a lot of time researching what I didn’t need to research! Sigh. Oh well, now the answer remains, why? What is going with this??
Reply
November 23rd, 2008 at 2:21 am
So…me too. Same issue, same tail chasing. I have spent the last couple of days trying to figure this out too. Thanks for sharing what you found. I noticed that the database for my RUBotted was updated a couple days ago. Wondering if that has something to do with the timing of all the actvity.
If you park your browswer on a page with no ads…no bots messages. Must be some change they made recently.
Thanks again. You made me feel a little less crazy.
Reply
November 23rd, 2008 at 5:26 am
Thanks for posting these details. There’s no support from TrendMicro for RUbotted, so I’ve not been able to find out why RUbotted gives out these alerts yet when you do a check for bots it says all clear. TrendMicro have got some explaining to do – has anyone tried to contact them about this?
Reply
November 23rd, 2008 at 12:05 pm
I’m not exactly sure but if you close RUBotted then the IP that you have disappears from your netstat. I believe it is nothing more than RUBotted connection back to the servers, which is why it is SSL Encrypted. I don’t think that is the “virus” website or whatever Trend is claiming it to be.
This only seems to pop up when I load up Firefox though… I don’t really notice it popping up when I open IE.
Reply
November 24th, 2008 at 9:17 am
I ran Wireshark as well and it came up with some more sinister news: seems that the bot establishes a KVM connection to the 150.70.89.33 address. The next action is coming from a bnet game port – but that could be a coincidense?
Anyway, I (kind of) panic´d and installed a permanent route (using “route add -p”) so that the communication from the bot just hits dev NULL
or rather a non-existing host on my network. Should take care of the imminent threat.
BUT, it doesn´t remove the little bugger. Has anyone any ideas or have seen a fix – however crude?
Reply
Admin reply on November 24th, 2008 10:04 am:
@JorgenG, We can’t fix a problem we don’t understand. We need to find out what is creating the pop-up. What action on the websites or ads are creating this? And why is it slowing down now? Someone knows something and isn’t talking. But I’m working on it! Still.
Reply
November 24th, 2008 at 9:57 am
[...] Most Read PostsWhat Ad Server is Dishing Up Malware and Bots? (144)I FOUND THE BOT! (87)Friday’s Quickies (59)RUBotted Notices are Slowing Down (48)Why is Microsoft REALLY Investing [...]
December 8th, 2008 at 2:18 pm
Just thought I’d chime in here since it seems no one else is doing the level of analysis on this that you are. I’m a non-technical user and have been seeing these same ‘your pc is being remote controlled’-type pop-ups from RUBotted. When checking the RUBotted logs, and status – nothing. It happens when I’m on sites that have a lot of ads and/or flash video. I’ve been ignoring them because the logs say nothing is there and nothing has popped up in Avast AV. I have repeatedly clicked the “run housecall now” button but Housecall won’t run on my machine for some reason (in IE or FF3). Don’t know what else to do about this. Hoping you come up with a solution since TrendMicro seems to be ignoring it under the “it’s a beta” banner.
Reply
Admin reply on December 9th, 2008 10:07 am:
@Buck, Thanks for adding your comments Buck! The more information we get, the more we are able to hunt this thing down!
Reply