Technical Tidbits

Folks, I think we have a problem, right here in Internet City. Ok, that’s a bad play on words from the Music Man song. But I am VERY SERIOUS. Or, as the saying goes, I’m as serious as a heart attack!

I’m greatly disturbed by something that’s happening repeatedly and with great regularity!

Every morning I go to a website: tarot.com to read my horoscope and other tidbits of information. My housemate visits there too on weekend mornings.

First, let me preface this by saying that over the past several months, tarot.com has added a slew of Google ads (adsense) and other ad delivery services to their site. Their site content is free so I do understand the need to generate income, believe me I do!

The reason I’m telling you this is because there seems to be a direct correlation between the amount of ad content and the quickly spreading malware that we are seeing recently.

Just now, as I’m writing this, I received a call from another person that told me the same thing happened to him on Yahoo Mail. I immediately went to Yahoo and received the exact same pop-up message again! This botnet thing - whatever it is - is disabling the Antivirus programs too!

Last weekend, while at tarot.com my housemate received the dreaded Antivirus 2009 pop-up message while visiting their site. Of course, he knows how to exit that without becoming infected with the Trojan, and I alerted their support immediately. They said they would investigate. To date, I have not received that particular message and I’ve heard nothing further from the folks at Tarot.com.

This morning, I’m visiting there and I get my Trend RUbotted pop-up stating that a bot was found.

So, I immediately close my browser and start the scans. Here’s the interesting part, every scan came up negative.

And even my RUBotted log doesn’t even acknowledge a threat! WHAT????

I even went so far as to scan with Trend’s online Housecall! And no threats found. WTF?

Now, I shut down - totally shut down because something is deeply wrong here.

I boot to the following problem with TrendMicro Internet Security Pro:

My Trend is disabled and I cannot restart it.

Now I run Spybot Search and Destroy. I only find a few measly cookies in Firefox and a bad saved bookmark that I didn’t know was dangerous!

Now I’m perplexed! What in the heck is going on????

Now, I run a wireshark packet capture and I go back to Yahoo Mail to see if I can duplicate the bot message. And sure enough! There it is again!

But this time, I have an IP address!

150.70.89.33

WhoIS says this:

OrgName:    Asia Pacific Network Information Centre
OrgID:      APNIC
Address:    PO Box 2131
City:       Milton
StateProv:  QLD
PostalCode: 4064
Country:    AU

So now I go to the Whois for APNIC (http://wq.apnic.net/apnic-bin/whois.pl) and find this on the IP:

inetnum:      150.26.0.0 - 150.100.255.255
netname:      JAPAN150
country:      JP
descr:        Japan Network Information Center
admin-c:      JNIC1-AP
tech-c:       JNIC1-AP
status:       ALLOCATED PORTABLE
notify:       hostmaster@nic.ad.jp
mnt-by:       MAINT-JPNIC
changed:      hm-changed@apnic.net 20070824
source:       APNIC

role:         Japan Network Information Center
address:      Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
address:      Chiyoda-ku, Tokyo 101-0047, Japan
country:      JP
phone:        +81-3-5297-2311
fax-no:       +81-3-5297-2312
e-mail:       hostmaster@nic.ad.jp
admin-c:      JI13-AP
tech-c:       JE53-AP
nic-hdl:      JNIC1-AP
mnt-by:       MAINT-JPNIC
changed:      hm-changed@apnic.net 20041222
changed:      hm-changed@apnic.net 20050324
changed:      ip-apnic@nic.ad.jp 20051027
source:       APNIC

Surprise, surprise! Japan is at it again!

So, now I’m peeved to say the least. Bastages!

I grabbed the Yahoo mail page source code and the Tarot.com source code. There has to be something duplicated between these two pages that are displaying the same ad code that is allowing this to get in. What is it?

Looking at both pages, I found the advertising code and Tarot.com is using DoubleClick (ad.doubleclick.com) while Yahoo is using the ad.yieldmanager.com which, after research I tracked down to Right Media.

The tarot.com ad code:

The Yahoo Mail page ad code:

I typed in yieldmanager.com since the ad.yieldmanager.com is a sub-domain of yieldmanager.com and I received this result:

So, I went to the right media site and it turns out yieldmanager is a Yahoo company! Imagine that?

So, here’s what I did. I blocked ad.yieldmanager.com in my Firefox cookies and I blocked ad.doubleclick.net.

You can also do the same in IE if you are using that. If you need directions on how to do this, contact me.

Now, here’s my take on this situation. There is one of several, if not all of the following situations going on here. The possibilities are:

• The same malware creator is advertising on all the advertising networks so (s)he can push the malware.
• All the ad servers have been compromised.
• All the ad servers have been injected with a code that will serve up this malware.

Either way you look at it, it appears that the advertising networks are clueless that they are putting all users at risk in their effort to generate revenue.

If you would like a copy of my wireshark packet capture files please contact me and I’ll send them to you.

If you are an advertising network and you would like testing done on your servers, please contact us to get a quote for those services. We do penetration testing - remotely and on-site.

If you are a antivirus, malware, or firewall software provider and would like all our files, please contact us. (Please note that our forensic files are not given unless we receive acknowledgment for our findings. That includes our partners: Trend Micro and Symantec.)

And to those of you who are STILL NOT USING IT, I highly suggest getting the FREE botnet tool from TrendMicro located here: http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted

Your PC Security is ultimately your responsibility! None of these manufacturers are going to come and clean up your machine for you. You’re stuck cleaning up the mess after they fail to protect you. So, I would suggest you start protecting yourself and learning how to do that!

ADDED: 2:30 PM CTD, Business Week just gave me one!

(Check it out at your own risk! http://images.businessweek.com/ss/08/10/1023_btw/index.htm)

written by Admin \\ tags: adsense, bot, botnet, botnet detection, bots, doubleclick, google, malware, pc security, penetration testing, right media, rubotted, Security, spybot search and destroy, trend, trendmicro

There are some days that I am just so happy to be doing the work I do. And today is one of those days!

Last week I received an odd e-mail that was obviously spam, but seemed to contain malware. And of course, I was disturbed because my Trend Micro Internet Security Pro did not catch it. While I did a bit of analysis on my own, it did indeed seem to contain the makings of malware - not that the fact that it was an executable (exe) might have something to do with it too!

So, following our procedures for submission, I submitted the file to Trend’s virus engineers and I just received this e-mail back from them.

The name of the Trojan is TROJ_DLOADR.HR - short form for Trojan, Downloader, variation HR.

And in keeping with my pledge to expose people who are either running botnets unknowingly or expose those who would willingly send out malcode, here’s the e-mail I received and the headers from that e-mail.

(Click to view larger image)

You will notice that first of all, this is a very bizarre e-mail address as the sender and the mail to is not a legitimate MICE e-mail address to begin with.  And there is nothing going on at MICE that required an Attorney to look over our contract. (We have two law firms we conduct business with and neither are at this address!)

So, looking at the headers I can see that this is coming from one specific IP address. Doesn’t appear to be a botnet, but I may be wrong. But from the headers, it seems to me that this e-mail originated from and was sent from this address. Perhaps this person is infected?

(Click to view larger image)

So, once again I go off to the Whatismyipaddress.com website (Gosh, I LOVE THEM!)

So, if you know of someone in that area (Washington State), or you are RoadRunner and you know who has the IP address of: 76.182.157.26, you need to contact them and tell them they are infected!

Not sure if it’s you or not? Go to WhatismyIPaddress.com and they will tell you immediately on the home page - the minute you get there.

So today my job is worthwhile. I found a new Trojan!

And since our press release called me “The Lone Ranger” of PC Security, I guess I will ride another day!

“Hi Ho, Trend MIcro! Away!”

written by Admin \\ tags: 76.182.157.26, botnet, internet security, malware, new trojan, pc security, Road Runner, RoadRunner, Security, Spam, trend, Trend Micro, trojan, trojan downloader, TROJ_DLOADER.HR, Washington State

I received 966 of my Microsoft Award Promotion winning e-mail this morning! And I won it in their Microsoft New year Bonaza EMAIL DRAW! (Their spelling not mine!)

I guess they really wanted me to make sure I know I won!

And in case I didn’t understand what a winner was, they made sure I knew I was also a wenner! (I guess that’s better than being a whinner or a weiner!)

Here’s what it said:

You have won £1,000,000.00 GBP in the recent email drawof the Microsoft New year Bonaza EMAIL DRAW. you are advise to contact your claims department with the below informations.Full Name;Home Address; Country of residence; occupation: Contact Phone Number;Contact Person: Mr. Lewis Desmond E-mail:gaminghouse125@hotmail.com.

See how I traced the sender back to a poor schmuck running a botnet in Canada.  View the details here: http://mice.org/microsoft-award-promotion.html

If anyone knows TomTS in Barrie, Ontario Canada, tell him to clean up his computer!

Point him to my post about the free botnet removal tool from Trend Micro!

written by Admin \\ tags: Barrie, botnet, botnet detection, botnets, Canada, catch a spammer, e-mail, email, email spam, how to, Microsoft, microsoft award notification, microsoft lottery, Ontario, Spam, spam email, spammer, trend botnet