Posts Tagged ‘bot’
Some New Takes on the Botnet Issue!
After the many responses from readers I did some snooping and have some possible causes of this botnet pop-up issue.
Now, I want you to bear with me on this one because I’m going to take a chain of events to make a connection.
I wanted to establish a time frame of the pop-up so I went back to my original, first post and found the date to be November 20th. So let’s assume that the pop-ups started around that time (plus or minus a week to be on the safe side).
What’s happened in and around that time frame?
- Microsoft issued a critical update to a Vulnerability in Server Service Could Allow Remote Code Execution (958644): Microsoft Security Bulletin MS08-067, October 23, 2008
- Microsoft issued a important update to a Vulnerability in SMB Could Allow Remote Code Execution (957097): Microsoft Security Bulletin MS08-068, November 11, 2008
- Microsoft issued a critical update to Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218): Microsoft Security Bulletin MS08-069, November 11, 2008
- On November 25, I issued the Bot Update saying it was Flash because there was a flash update issued. (We now know that flash is NOT the issue.)
- On November 25, Trend’s Malware Blog reports on a newly found worm, that may be the precursor to a new botnet that’s exploiting the Microsoft MS08-067 Vulnerability!
- On December 6, Sun Issues 13 updates to Java according to a new post on the Trend Labs blog!
Now, follow with me here a minute. Remember I’ve been saying that the ads on the websites are using JavaScript inside JavaScript? And other readers have reported the pop-up of the Java in their toolbar along with the RUBotted pop-up. Whereas the sites I’ve been on, already have Java running before the RUBotted pop-up.
What if, this new botnet is being delivered through – or trying to be delivered through – the ad servers?
Now take into consideration the fact that ads are everywhere. What better way to access the millions of users?
And, what if this isn’t just your average, run of the mill threat? We’ve seen blended threats before. What if this takes the threat up a few notches?
The Microsoft Vulnerability cited in MSO8-067 that Trend Labs found being exploited as a precursor to a new botnet is:
The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.
What Microsoft doesn’t tell us is EXACTLY what that specially crafted RPC request is!
For those of you who do not know what RPC is, it’s the Remote Procedure Call code that allows you to do millions of things on your computer. For example, say you want to connect to a remote database somewhere, the RPC service is what calls (code language for requesting a connection, so to speak) the remote server to make the connection.
If you right click over your MY COMPUTER icon and choose MANAGE, you can navigate to Services and Applications and see the Services running on your computer. Switch to the Standard tab and you’ll see the alphabetical list of every service running and stopped on your computer. Find the Remote Procedure Call (RPC) service in the list. Either double click it to open it or right click and choose properties. Look at the Dependencies tab.
The Dependencies are all the other programs and services that need to use this service! (Covered in our Advanced PC Security course, by the way!)
Now, add that to the multitude of mashups, web apps, and other web vulnerabilites, like cross-site scripting and the like and you’ve got a recipe for disaster!
I want to go on record stating right here, right now, that I believe Ad servers are serving up a new kind of bot that we have not seen the likes of yet!
Now, let’s add to this the more detailed reporting on part of this (after much digging, I might add) explains how the code could be misconfigured. For those of you more technically oriented, see this link: FIO02-C.+Canonicalize+path+names+originating+from+untrusted+sources and this link: More detail about MS08-067, the out-of-band netapi32.dll security update
Now, why am I so sure that this is going to come through ads?
Consider this…. most ad services allow you to remotely host your advertising feed content. That being the case, who’s policing what’s being served? No one. If someone was, why are we still getting the Antivirus 2009 and it’s variants being delivered through ads? My Gmail is full of malware that comes in through my alerts! So tell me who’s minding the store?
I really hope I’m wrong about this but my gut tells me that I’m not.
I think we are in for one heck of a new bot! Don’t say I didn’t warn you!
As always, comments welcome!
14 Comments »
Friday’s Quickies
US Army Publishes Report On Terrorist & Vegetarian Use of Twitter
Received this from a twitter friend. The full report is downloadable from the website. Aside from the vegetarians using Twitter, this is a very interesting report if you read between the other lines. Enough said?
Feuding India, Pakistani Hackers Deface Web Sites
No longer confined to conventional battle tactics, this Yahoo/PC World article illustrates how conflicts are being fought on the digital front too. Our world has definitely changed.
Richard Branson: Business Stripped Bare
Richard Branson’s (of Virgin fame & fortune) video blog. Interesting. Not to Sir Branson – very provocative title too I might add!) 
Botnet Saga Continues
I guess I spoke way too soon! I was at my yahoo mail today, opened an e-mail and boom! Got the pop-up again! Sigh.
And, as many readers have commented and pointed out to me personally, many inconsistencies:
- Some PCs have never exhibited the pop-ups even though they did not update their flash player.
- Some PCs have stopped receiving the pop-ups even though they did not update their flash player.
- Some PCs are still receiving the pop-ups even though they did update their flash player.
So now, we wait for Anthony’s analysis of the flash files.
In the meantime, I have to do my annual re-caulk of the shower tiles today! I can tell you, I’d rather be doing forensics! A woman’s work is never done! Especially when she’s the “handyman” in the house purchase partnership! (Now you know why my daughters and I received the nicknames “Macho Mahler!”)
Have a great weekend!
And stay tuned for the update about the RUBotted situation as it unfolds!
Debbie
No Comments »
Bot Update
Last night I updated my Flash files and I was still getting notices as per my added notice on the post: A Possible Answer to the RUBotted Pop-ups?
However, this morning – upon boot – I’ve yet to receive one. I also went directly to the main file disclosed in the previous post that was serving up the ad and I did not receive the pop-up.
At this point, I can only conclude that the flash was the vulnerability and it is NOT a glitch or bug in RUBotted.
Anthony Valente, my partner from Network Defense Solutions is working with the Flash file I sent him this morning to find out what it was in the file that might have been doing this. Only by understanding how the malware providers are pushing this crap on us, can we understand how to protect ourselves.
Stay tuned for more disturbing news about the ad servers from hell! You are not going to be happy when you hear what Anthony has uncovered through my initial research with the Antivirus 2009!
In the meantime, go update your flash players PLEASE!
9 Comments »
 |
 |
 |
|
||
 |
|
 |
|
||
