Some New Takes on the Botnet Issue!
After the many responses from readers I did some snooping and have some possible causes of this botnet pop-up issue.
Now, I want you to bear with me on this one because I’m going to take a chain of events to make a connection.
I wanted to establish a time frame of the pop-up so I went back to my original, first post and found the date to be November 20th. So let’s assume that the pop-ups started around that time (plus or minus a week to be on the safe side).
What’s happened in and around that time frame?
- Microsoft issued a critical update to a Vulnerability in Server Service Could Allow Remote Code Execution (958644): Microsoft Security Bulletin MS08-067, October 23, 2008
- Microsoft issued a important update to a Vulnerability in SMB Could Allow Remote Code Execution (957097): Microsoft Security Bulletin MS08-068, November 11, 2008
- Microsoft issued a critical update to Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218): Microsoft Security Bulletin MS08-069, November 11, 2008
- On November 25, I issued the Bot Update saying it was Flash because there was a flash update issued. (We now know that flash is NOT the issue.)
- On November 25, Trend’s Malware Blog reports on a newly found worm, that may be the precursor to a new botnet that’s exploiting the Microsoft MS08-067 Vulnerability!
- On December 6, Sun Issues 13 updates to Java according to a new post on the Trend Labs blog!
Now, follow with me here a minute. Remember I’ve been saying that the ads on the websites are using JavaScript inside JavaScript? And other readers have reported the pop-up of the Java in their toolbar along with the RUBotted pop-up. Whereas the sites I’ve been on, already have Java running before the RUBotted pop-up.
What if, this new botnet is being delivered through – or trying to be delivered through – the ad servers?
Now take into consideration the fact that ads are everywhere. What better way to access the millions of users?
And, what if this isn’t just your average, run of the mill threat? We’ve seen blended threats before. What if this takes the threat up a few notches?
The Microsoft Vulnerability cited in MSO8-067 that Trend Labs found being exploited as a precursor to a new botnet is:
The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.
What Microsoft doesn’t tell us is EXACTLY what that specially crafted RPC request is!
For those of you who do not know what RPC is, it’s the Remote Procedure Call code that allows you to do millions of things on your computer. For example, say you want to connect to a remote database somewhere, the RPC service is what calls (code language for requesting a connection, so to speak) the remote server to make the connection.
If you right click over your MY COMPUTER icon and choose MANAGE, you can navigate to Services and Applications and see the Services running on your computer. Switch to the Standard tab and you’ll see the alphabetical list of every service running and stopped on your computer. Find the Remote Procedure Call (RPC) service in the list. Either double click it to open it or right click and choose properties. Look at the Dependencies tab.
The Dependencies are all the other programs and services that need to use this service! (Covered in our Advanced PC Security course, by the way!)
Now, add that to the multitude of mashups, web apps, and other web vulnerabilites, like cross-site scripting and the like and you’ve got a recipe for disaster!
I want to go on record stating right here, right now, that I believe Ad servers are serving up a new kind of bot that we have not seen the likes of yet!
Now, let’s add to this the more detailed reporting on part of this (after much digging, I might add) explains how the code could be misconfigured. For those of you more technically oriented, see this link: FIO02-C.+Canonicalize+path+names+originating+from+untrusted+sources and this link: More detail about MS08-067, the out-of-band netapi32.dll security update
Now, why am I so sure that this is going to come through ads?
Consider this…. most ad services allow you to remotely host your advertising feed content. That being the case, who’s policing what’s being served? No one. If someone was, why are we still getting the Antivirus 2009 and it’s variants being delivered through ads? My Gmail is full of malware that comes in through my alerts! So tell me who’s minding the store?
I really hope I’m wrong about this but my gut tells me that I’m not.
I think we are in for one heck of a new bot! Don’t say I didn’t warn you!
As always, comments welcome!
14 Responses to “Some New Takes on the Botnet Issue!”
Leave a Reply
 |
 |
 |
|
||
 |
|
 |
|
||
Hi,
I commented on one of your prior posts before I realized you had made a number of updates and are now here on this, your most current post.
The big problem as I see it is that I’m a reasonably savvy home PC user but not a whiz, don’t know how to do any coding or command line stuff, and I depend on things like Avast (which hasn’t stopped “spinning” since mid-November for some reason), Threatfire, and RUBotted to keep my surfing safe and keep outsiders OUT of my PC. But when stuff like the constant RUBotted alerts keeps happening, and I have no way to deal with it (certainly not on any level even remotely compared to what you’ve been doing) I get so frustrated I could scream.
Oh and I get the RUBotted warnings (with the RUBotted log showing no activity) in Opera as well as in FF3 with NoScript running. I don’t use any type of IM or Chat (except that I do use Gmail and that has a chat feature but I wasn’t aware that was a separate application), I don’t use Zonealarm, I do use a router…
Oh, and according to Gibson Research ShieldsUp, Port 22 is no longer “stealthed” – it shows up as “CLOSED” and I have no idea why or how.
Not sure if any of that helps your investigation in any way but I hope it does. Thanks for what you are doing.
Reply
Facebook User reply on December 9th, 2008 10:09 am:
@Buck, Every little bit, no matter how minor you think it is helps! I do appreciate you taking the time to let us know! The Port 22 is a new issue. Interesting! I’ll get checking on that! Thank you again!
Reply
Hi Debbie,
I don’t think the Ad thing is related to RUBotted. Antivirus 2009 which you mention does come through web ads, and google ads. This has been occuring for quite some months now. It is called drive by infections. You may be experiencing a combination of things. I haven’t yet read your 09 post, but will shortly.
Have you tried downloading mIRC? My guess is that whatever bot/virus this is, it is being distributed via ads, its bot wranglers are using IRC to send commands.
If it is the Ads sending the RUBotted alert, restart your computer let it sit for a while to see if it gets any alerts without you doing anything. Then go in and turn RUBotted monitoring of irc traffic off before you launch any browser. If it doesn’t alert then it isn’t web ads it is IRC. Keep doing it until we figure out what protocal it is. 99% sure it is IRC now.
Reply
Facebook User reply on December 9th, 2008 4:19 pm:
@Ddraig, We may both be right since Bots use IRC channels!
Reply
If it walks like a Duck…I am a network engineer with 20+ years of exp. I have “defense in layers” on my home network. I was trying RUBotted (TrendMicro) which was very (too?) quick to report that nothing was wrong for several days. Suddenly, I get a report of a ‘bot’ on my machine. Download our entire suite was the answer! And BTW, remove the competitors products before we can start (to include CA AV which has protected me successfully for over 5 years. Bottom Line: With the entire TM suite installed, full scans and all recommended fixes performed, RUBotted is still complaining on a ‘bot’ on board and telling me to run ‘Housecall”!! To me, this is worthy of an FTC investigation.
Reply
Facebook User reply on December 11th, 2008 12:43 pm:
@Mike Mangan, Thanks for taking the time to comment! I understand where you’re coming from, but I have Trend Micro IS Pro and I’m still getting these. That’s why I think it’s more than just a marketing ploy. But you did give me another angle to look at too. There was something I recently read that may make what you’re saying a little clearer. I’ll be back on this!
Reply
Hi Deb,
Just wanted to tell you about my infection about 3 weeks ago.
My daughters computer was infected with the Antivirus 2009, I’m not sure how it arrived there but the cable company threated a shut off service if we didn’t find the pc infected and fix it. I went to all the pc’s in my home 2 wired 2 wireless and watched to see what was going on. I tried several programs to remove the antivirus2009 with no success. Couldn’t even shut it down without it restarting itself, I dreaded the thought of wiping the hd and reinstalling windows. I had a flash of genious and renamed the folder the virus was residing in and restarted the pc, it didn’t start up and I could now safely delete the problem program.
Last friday my website was hacked into and as far as I could tell the only thing that was changed was the first index page, is there other things I should dig deeper into? I have reset the admin password to a much higher level of security.
Thanks for your time.
Todd
Reply
Facebook User reply on December 12th, 2008 5:56 pm:
@Todd,
Reply
When are you going to finish this investigation? Your’s is the only site that seems to take the problem seriously. I am still getting the warning messages two to three times a day and want to fix the problem. I use excite.com for my home page and it refreshes every 30 minutes. I think the bot warning happens when the refresh compltes.
Reply
Facebook User reply on February 2nd, 2009 8:42 am:
@Neil Carron, I will be following it up this week. I’m sorry, I’ve been a bit overwhelmed lately.
Reply
Neil Carron reply on February 3rd, 2009 8:49 pm:
@Admin,
Thanks for you quick reply. I, and I am sure many others, are hoping that you will find the root cause of the issue so we can get this cleared up for good.
Reply
Facebook User reply on February 10th, 2009 5:55 pm:
@Neil Carron, I think we might be on to it if not found it! I’ll be posting this follow-up today!
One more reason to use a mac
Reply
Visiting http://www.reportpoll.com/ will cause a rubotted pop-up. (redir) Interestingly enough, the rubotted log is completely empty. Thoughts?
Reply