I FOUND THE BOT!
WOW! Was I ever off base with this one! Now, what I want to know is what the heck is going on???
I commented to a reader about doing a netstat -an from the command prompt and decided to take my own advice. Here’s what I found in my netstat.
My Netstat -an results
Closed is good. Not connected.
But wait, something is not sitting right with me. The port. The port is a secured port! 443 is a secured port!
The plot thickens!
I look this port up on GRC Port Authority and discover this:
SSL
The “s” in “https” stands for “secure”: Hyper Text Transfer Protocol, Secure. You may encounter other s-suffix protocols such as ftps or smtps. These, similarly, refer to secured-transport versions of the base protocol.
In the case of https, whereas the default port used for standard non-secured “http” is port 80, Netscape chose 443 to be the default port used by secure http. (They chose port 443 because it was not being used for any other purpose at the time.)
So now I’m really confused. How can this be? A botnet that is authenticated over SSL?? This is not right.
I go back to the Whois query and this time I check the box next to Reverse Domain Lookup. I should’ve done this the first time – darn it!
(Click to view larger image)
Now look who this is! WTF???
TrendMicro????
Okay, so now we know that IP is benign, but this begs the question, what the H*LL is going with Trend that the bot alert is going off on web sites and why???
Trend, would you please respond??? What in the heck is going on??
I didn’t apply for a job with you so this can’t be a test. So what the heck is up??
Are you setting off your own alert when you try to scan a website? Is this some kind of glitch in your software? What?
11 Responses to “I FOUND THE BOT!”
Leave a Reply
 |
 |
 |
|
||
 |
|
 |
|
||
heh Just posted something along these lines myself. Just shorter, less thorough and much less eloquently than yourself. Thanks for the efforts you’ve put into this!
Reply
Facebook User reply on November 22nd, 2008 6:21 pm:
@Ray, I should have checked that box before this. I wasted a lot of time researching what I didn’t need to research! Sigh. Oh well, now the answer remains, why? What is going with this??
Reply
So…me too. Same issue, same tail chasing. I have spent the last couple of days trying to figure this out too. Thanks for sharing what you found. I noticed that the database for my RUBotted was updated a couple days ago. Wondering if that has something to do with the timing of all the actvity.
If you park your browswer on a page with no ads…no bots messages. Must be some change they made recently.
Thanks again. You made me feel a little less crazy.
Reply
Thanks for posting these details. There’s no support from TrendMicro for RUbotted, so I’ve not been able to find out why RUbotted gives out these alerts yet when you do a check for bots it says all clear. TrendMicro have got some explaining to do – has anyone tried to contact them about this?
Reply
I’m not exactly sure but if you close RUBotted then the IP that you have disappears from your netstat. I believe it is nothing more than RUBotted connection back to the servers, which is why it is SSL Encrypted. I don’t think that is the “virus” website or whatever Trend is claiming it to be.
This only seems to pop up when I load up Firefox though… I don’t really notice it popping up when I open IE.
Reply
I ran Wireshark as well and it came up with some more sinister news: seems that the bot establishes a KVM connection to the 150.70.89.33 address. The next action is coming from a bnet game port – but that could be a coincidense?
Anyway, I (kind of) panic´d and installed a permanent route (using “route add -p”) so that the communication from the bot just hits dev NULL
or rather a non-existing host on my network. Should take care of the imminent threat.
BUT, it doesn´t remove the little bugger. Has anyone any ideas or have seen a fix – however crude?
Reply
Facebook User reply on November 24th, 2008 10:04 am:
@JorgenG, We can’t fix a problem we don’t understand. We need to find out what is creating the pop-up. What action on the websites or ads are creating this? And why is it slowing down now? Someone knows something and isn’t talking. But I’m working on it! Still.
Reply
[...] Most Read PostsWhat Ad Server is Dishing Up Malware and Bots? (144)I FOUND THE BOT! (87)Friday’s Quickies (59)RUBotted Notices are Slowing Down (48)Why is Microsoft REALLY Investing [...]
Just thought I’d chime in here since it seems no one else is doing the level of analysis on this that you are. I’m a non-technical user and have been seeing these same ‘your pc is being remote controlled’-type pop-ups from RUBotted. When checking the RUBotted logs, and status – nothing. It happens when I’m on sites that have a lot of ads and/or flash video. I’ve been ignoring them because the logs say nothing is there and nothing has popped up in Avast AV. I have repeatedly clicked the “run housecall now” button but Housecall won’t run on my machine for some reason (in IE or FF3). Don’t know what else to do about this. Hoping you come up with a solution since TrendMicro seems to be ignoring it under the “it’s a beta” banner.
Reply
Facebook User reply on December 9th, 2008 10:07 am:
@Buck, Thanks for adding your comments Buck! The more information we get, the more we are able to hunt this thing down!
Reply
I gave up on trying to detect the so called bot on my PC (no bot found after numerous scans with numerous AV-apps) and uninstalled this nice piece of BETA-rubbish. By TrendMicro, have anice life.
PS: the popups occur on Vista only; on my XP it seems to be ok
Reply