Technical Tidbits™

As you may remember from several of my previous posts - RUBotted Popup and Microsoft Bulletins and Botnets,  just to name a few – that I use Trend Micro’s RUbotted regularly and recommend using it.

I’ve noticed that there is a continuous false positive appearing on my pop-up message every time I visit a specific forum I belong to on Bravenet.

Specifically, I receive this message:

(Click to see larger image)

Not only do I receive the “Botnet found” pop-up message when visiting the forum, I get the reported results that Trend Micro RUBotted has, “detected DNS query of malicious domain” without giving a IP address or a malicious domain to verify what’s up with that.

Since I’m running Trend Micro Internet Security, I don’t click the message to run House Call.  But I did run all my other tools to check for some kind strange botnet-like behavior on my machine.  And that included checking all my open connections on my computer to see if there was something running in the background that I wasn’t aware of.

But, alas and alack, there was nothing.

So that led me to start researching what the heck this message might be related to.  I researched the message, “detected DNS query of malicious domain” only to find others experiencing the same kind of problem but on different sites.

I then started looking for the trigger point of this message on the forum I belong to – which has led me to the conclusion that this is a false positive for me.

Now don’t get me wrong, there are sites that will trigger this because an advertisement or hidden code in the site page programming could be triggering it. So don’t assume that all the “detected DNS query of malicious domain” messages are all false positives. THEY ARE NOT!

For those of you who are bit more technically inclined than others, let me explain how I researched this so you can do your own bot check on a site triggering the RUBotted pop-up.

Once I was in the forum on Bravenet and I received the pop-up message that there was a botnet found, I accessed the View Page Source to see the coding behind the page I was seeing.  I looked at every single link to see if there was some outside IP address or outside website that this would trigger. All references in the links on the page referred to the forum at bravenet’s website.

However, on certain pages, there are links to websites from people writing in the forum and upon researching one of those links, I found that it had been listed as a potential malware site.  So, it isn’t necessarily the site you’re visiting that creates the false positive, it could be something on the page itself, or a link to a potential or known malware site.

There are also questions raised out there that Bravenet itself is a malicious site, but because it hosts FREE forums on the site, there’s no doubt in my mind that someone may have set up a forum with the intent of directing people to a malicious site.  But I went to Bravenet the dot com and did not receive the RUBotted message pop-up. So it was definitely not that site that was the malicious domain.

The take away point of this post is, sometimes you will get false positives.

When in doubt, assume the worse unless you know with all certainty that the site you are on is indeed safe.  In my case, the forum I belong to is an invitation only forum of professional people.

Remember, advertisements such as Google ads and others can alternate malware advertisers on a site that would trigger RUBotted. So if the site you’re visiting is heavily laden with advertising, you can safely assume that it was an ad that triggered the query of a malicious domain.

As I say repeatedly, ALWAYS err on the side of caution when it comes to security!  And I think Trend Micro’s RUBotted does that.

I hope this has helped resolve some of the confusion out there.

After the many responses from readers I did some snooping and have some possible causes of this botnet pop-up issue.

Now, I want you to bear with me on this one because I’m going to take a chain of events to make a connection.

I wanted to establish a time frame of the pop-up so I went back to my original, first post and found the date to be November 20th.  So let’s assume that the pop-ups started around that time (plus or minus a week to be on the safe side).

What’s happened in and around that time frame?

• Microsoft issued a critical update to a Vulnerability in Server Service Could Allow Remote Code Execution (958644): Microsoft Security Bulletin MS08-067, October 23, 2008
• Microsoft issued a important update to a Vulnerability in SMB Could Allow Remote Code Execution (957097): Microsoft Security Bulletin MS08-068, November 11, 2008
• Microsoft issued a critical update to Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218): Microsoft Security Bulletin MS08-069, November 11, 2008
• On November 25, I issued the Bot Update saying it was Flash because there was a flash update issued. (We now know that flash is NOT the issue.)
• On November 25, Trend’s Malware Blog reports on a newly found worm, that may be the precursor to a new botnet that’s exploiting the Microsoft MS08-067 Vulnerability!
• On December 6, Sun Issues 13 updates to Java according to a new post on the Trend Labs blog!

Now, follow with me here a minute. Remember I’ve been saying that the ads on the websites are using JavaScript inside JavaScript? And other readers have reported the pop-up of the Java in their toolbar along with the RUBotted pop-up.  Whereas the sites I’ve been on, already have Java running before the RUBotted pop-up.

What if, this new botnet is being delivered through – or trying to be delivered through – the ad servers?

Now take into consideration the fact that ads are everywhere. What better way to access the millions of users?

And, what if this isn’t just your average, run of the mill threat? We’ve seen blended threats before. What if this takes the threat up a few notches?

The Microsoft Vulnerability cited in MSO8-067 that Trend Labs found being exploited as a precursor to a new botnet is:

The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.

What Microsoft doesn’t tell us is EXACTLY what that specially crafted RPC request is!

For those of you who do not know what RPC is, it’s the Remote Procedure Call code that allows you to do millions of things on your computer. For example, say you want to connect to a remote database somewhere, the RPC service is what calls (code language for requesting a connection, so to speak) the remote server to make the connection.

If you right click over your MY COMPUTER icon and choose MANAGE, you can navigate to Services and Applications and see the Services running on your computer. Switch to the Standard tab and you’ll see the alphabetical list of every service running and stopped on your computer. Find the Remote Procedure Call (RPC) service in the list. Either double click it to open it or right click and choose properties. Look at the Dependencies tab.

The Dependencies are all the other programs and services that need to use this service! (Covered in our Advanced PC Security course, by the way!)

Now, add that to the multitude of mashups, web apps, and other web vulnerabilites, like cross-site scripting and the like and you’ve got a recipe for disaster!

I want to go on record stating right here, right now, that I believe Ad servers are serving up a new kind of bot that we have not seen the likes of yet!

Now, let’s add to this the more detailed reporting on part of this (after much digging, I might add) explains how the code could be misconfigured. For those of you more technically oriented, see this link: FIO02-C.+Canonicalize+path+names+originating+from+untrusted+sources and this link: More detail about MS08-067, the out-of-band netapi32.dll security update

Now, why am I so sure that this is going to come through ads?

Consider this…. most ad services allow you to remotely host your advertising feed content. That being the case, who’s policing what’s being served? No one.  If someone was, why are we still getting the Antivirus 2009 and it’s variants being delivered through ads? My Gmail is full of malware that comes in through my alerts! So tell me who’s minding the store?

I really hope I’m wrong about this but my gut tells me that I’m not.

I think we are in for one heck of a new bot! Don’t say I didn’t warn you!

As always, comments welcome!

Received this from a twitter friend. The full report is downloadable from the website. Aside from the vegetarians using Twitter, this is a very interesting report if you read between the other lines. Enough said?

No longer confined to conventional battle tactics, this Yahoo/PC World article illustrates how conflicts are being fought on the digital front too. Our world has definitely changed.

Richard Branson’s (of Virgin fame & fortune) video blog. Interesting. Not to Sir Branson – very provocative title too I might add!)

I guess I spoke way too soon! I was at my yahoo mail today, opened an e-mail and boom! Got the pop-up again! Sigh.

And, as many readers have commented and pointed out to me personally, many inconsistencies:

• Some PCs have never exhibited the pop-ups even though they did not update their flash player.
• Some PCs have stopped receiving the pop-ups even though they did not update their flash player.
• Some PCs are still receiving the pop-ups even though they did update their flash player.

So now, we wait for Anthony’s analysis of the flash files.

In the meantime, I have to do my annual re-caulk of the shower tiles today! I can tell you, I’d rather be doing forensics! A woman’s work is never done! Especially when she’s the “handyman” in the house purchase partnership! (Now you know why my daughters and I received the nicknames “Macho Mahler!”)

Have a great weekend!

And stay tuned for the update about the RUBotted situation as it unfolds!

Debbie