Technical Tidbits™

Posts Tagged ‘bots’

Over the past several days, I’ve received phone calls and requests for assistance because of some new mal-ads pushing yet another drive-by download.

Based on the discussion with one of these callers and their cry for help, I was able to get at some of the underlying script which was a PHP redirect.

Now for those of you who are unfamiliar with what that is, the simple explanation is that the page or ad being served up, has a code in it using PHP language (my WP blog is written in PHP language) that rotates what is displayed in the ad. I guess you could call it an ad rotation script.

What causes the problem is that when the rotation script calls up an ad that actually redirects you to a file that downloads into your temporary Internet files and launches a pop-up or pop-under page.  Once you click the pop-up/pop-under page, you’ve launched the malware.

I described in a previous post: How To Stop The New Malware, the steps to take to stop this from happening.  But like anything else security related, no one listens until they are infected!

So let me remind you one more time! First, go to this post and change your settings according to the browser you are using.  (It covers IE and Firefox. If you want Safari and Chrome settings, leave a comment and I’ll post those too!)

Next,  if the pop-up/pop-under appears, hold down the Control (CRTL) key, then the ALT key (hold it down too), and then the DEL (delete) key to bring up your Task Manager. Just do that once, because doing it twice will cause your machine to reboot!

Click to view Larger Image

When the Task Manager appears, click the Applications tab (if it’s not already on it) and click on the Internet Explorer or Firefox (whichever applies to your browser) and then click the End Task button on the bottom.

Note: You will lose your entire browsing session but it’s better to lose your browsing session then to get hit with this horrible malware right?

If you end task the way I described here, for now, the malware software will not be able to launch.

The biggest offender is still the FAKEAV (fake AV) malware, this includes the Antivirus 2009 malware. Trend Micro reports the loss to victims in an article:  Rogue AV Scams Result in US$150M in Losses

“November marks the official start of the holiday shopping season as millions of Americans search for gifts and deals both online and in stores,” said Jack Flanagan, executive VP of comScore Media Metrix, in a statement. “With nearly 4 out of 5 Americans online visiting a retail site during November, the Internet clearly represents an increasingly important channel for retailers during the holiday season and beyond.”

We’ve had much discussion on this blog about Botnets. But what is a botnet?

According to TechWeb, a botnet is:

(roBOT NETwork) Also called a “zombie army,” a botnet is a large number of compromised computers that are used to create and send spam or viruses or flood a network with messages as a denial of service attack. The computer is compromised via a Trojan that often works by opening an Internet Relay Chat (IRC) channel that waits for commands from the person in control of the botnet. There is a thriving botnet business selling lists of compromised computers to hackers and spammers.

This is why we are very concerned with why it appears that advertisers are placing something in the ads or javascripts that are setting off the RUBotted alerts.

Advertisements are everywhere. Internet visitors want free content but those of us who have businesses need to pay for our web hosting, domain names, and maintenance to provide free content. So, millions of web owners and bloggers have jumped into accepting ads like Google’s Adsense, and other paid advertisers to keep up with costs while keeping content free.

If, unscrupulous advertisers have figured out a way to get inside our computers without us realizing it, millions upon millions of computers will be compromised and web site owners sponsoring the ads will be to blame.

We are continuing our unending effort to get to the bottom of why the RUBotted pop-ups are continuing.

But for those of you who didn’t understand why this is so important, this is your explanation.

On another related note, even the U.S. Army has gone botnet hunting! Read the Information Week article here:U.S. Army Goes Botnet Hunting.  It’s nice to know we’re in good company!

Also included in this article is a link to the Army’s new release of BotHunter Software (free!) and in Linux, Windows, and Mac distributions.

The BotHuner website states that the new software is:

BotHunter is an application designed to track the two-way communication flows between internal assets and external entities, developing an evidence trail of data exchanges that match a state-based infection sequence model.  BotHunter consists of a correlation engine that is driven by a customized and augmented release of Snort version 2, which tracks the underlying actions that occur during the  malware infection process: inbound scanning, exploit usage, egg downloading, outbound bot coordination dialog, outbound attack propagation, and malware P2P communication.  The BotHunter correlator then ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection.  When a sequence of evidence is found to match BotHunter’s infection dialog model, a consolidated report is produced to capture all the relevant events and event sources that played a role during the infection process.  We refer to this analytical strategy of matching the dialog flows between internal assets and the broader Internet as  dialog-based correlation (patent pending).

I have now downloaded it and will be testing it out and since it’s free, I suggest many of you do the same. This may solve our problem by discovering what it is that’s trying to get through our RUBotted!

One caveat for all of those who are as paranoid as I am: READ THE EULA!

It states:

BOTHUNTER PROFILES.

You may, at your sole discretion, elect to share profile data collected by the Software with SRI.  If You provide any data files to SRI, then SRI shall automatically have the worldwide, perpetual, non-exclusive, royalty-free license to utilize such data files and any derivatives thereof for all purposes without attribution.

So, there can be some sharing of information. It doesn’t say how much is personally identifying! Be forewarned!

Also, there is a statement under the Jurisdiction section:

This Software is controlled by SRI from its offices within the State of California.

Just what it means by controlled, is not clearly spelled out! So, if you’re paranoid of big brother, don’t use this! The EULA is too open ended. I’m using it in the interest of research and you better believe I’ll be doing a few packet captures too!

As always, stay tuned…….

Last night I updated my Flash files and I was still getting notices as per my added notice on the post: A Possible Answer to the RUBotted Pop-ups?

However, this morning – upon boot – I’ve yet to receive one.  I also went directly to the main file disclosed in the previous post that was serving up the ad and I did not receive the pop-up.

At this point, I can only conclude that the flash was the vulnerability and it is NOT a glitch or bug in RUBotted.

Anthony Valente, my partner from Network Defense Solutions is working with the Flash file I sent him this morning to find out what it was in the file that might have been doing this. Only by understanding how the malware providers are pushing this crap on us, can we understand how to protect ourselves.

Stay tuned for more disturbing news about the ad servers from hell! You are not going to be happy when you hear what Anthony has uncovered through my initial research with the Antivirus 2009!

In the meantime, go update your flash players PLEASE!