Technical Tidbits™

I thought this issue might have been a false positive because of finding the IP address belonging to TrendMicro. (See: http://mice.org/blog/i-found-the-bot/)

But over the weekend, I’ve heard from many of you that you are experiencing a shut down of your AV software on reboot, or after you shut down and restart the next morning. This is a very disturbing trend.

I’ve noticed myself that when the pop-up appears, I’m getting complacent about just clicking the “No” button and ignoring it. This is also disturbing. We should never become complacent in our security.

I still stand by my original post that there is something being served us through the ads on these sites. That is the only logical explanation I can come up with. But what? And how?

The pop-up states that, “Someone has launched malicious software on your computer by remote control.”

So that started me thinking. What if….. what if something in an ad is triggering the launch of some Microsoft service? Like their lame a** Malicious Software Removal Tool?

Here’s what I did…. I took a copy of my task manager and all the services running in the background.  I also opened my Spybot Search and Destroy in Advanced Mode to see if there was anything like MRT running inside the services process.  Knowing my baseline of what’s running, I would then try to get the popup again from the known pages that I’ve visited and received it.

If this theory is correct, something should should up in my running processes immediately!

So, I closed down unnecessary services running in the background and this is how my Task Manager reads currently.

(Click for larger view)

(Click for larger view)

I have watched the running processes change and the only thing I’ve seen so far, is that the services.exe pops up with a high CPU commitment when the RUBotted pops up. I cannot see through my running processes in Spybot where there is any other process being activated at the same time.

I really don’t think this is totally benign – or harmless – at this point. I think this is a serious problem and we need to get to the bottom of it. Especially since people are reporting in with their AV being shut off. This is not a harmless action by any means!

Please be diligent. Check your AV software to make sure it’s running repeatedly throughout the day.

In the meantime, I’m going to turn on my test machine and see if I can nab this bad boy!

Debbie

WOW! Was I ever off base with this one! Now, what I want to know is what the heck is going on???

I commented to a reader about doing a netstat -an from the command prompt and decided to take my own advice. Here’s what I found in my netstat.

My Netstat -an results

Closed is good. Not connected.

But wait, something is not sitting right with me. The port. The port is a secured port! 443 is a secured port!

The plot thickens!

I look this port up on GRC Port Authority and discover this:

SSL

The “s” in “https” stands for “secure”: Hyper Text Transfer Protocol, Secure. You may encounter other s-suffix protocols such as ftps or smtps. These, similarly, refer to secured-transport versions of the base protocol.

In the case of https, whereas the default port used for standard non-secured “http” is port 80, Netscape chose 443 to be the default port used by secure http. (They chose port 443 because it was not being used for any other purpose at the time.)

So now I’m really confused. How can this be? A botnet that is authenticated over SSL?? This is not right.

I go back to the Whois query and this time I check the box next to Reverse Domain Lookup. I should’ve done this the first time – darn it!

(Click to view larger image)

Now look who this is! WTF???

TrendMicro????

Okay, so now we know that IP is benign, but this begs the question, what the H*LL is going with Trend that the bot alert is going off on web sites and why???

Trend, would you please respond??? What in the heck is going on??

I didn’t apply for a job with you so this can’t be a test. So what the heck is up??

Are you setting off your own alert when you try to scan a website? Is this some kind of glitch in your software? What?

If you’ve read any of the comments on the original post: What Ad Server is Dishing up Malware and Bots? – then you know this is being reported as a widespread problem hitting many sites and many users.

I’m very curious to know how many people are not using RUBotted and are therefore getting hit with this bot? I think I’ll need to run a check on my test machine today.

Anyway, there were two other schools of thought on this and one of them was that perhaps a Microsoft Update had affected this. I don’t believe so.  The reason I state that is that my machine was fully patched before this happened but our marketing director’s machine had not been. He had not updated to the newest security patches when he started getting the notices. (He updates on weekends.) So that eliminates the update theory.

The other thought that I had was perhaps a JAVA problem. I had also performed a Java update and the pages that are delivering this warning are all using Javascript to run the ads. But here lies the problem with that theory: This blog is using Javascript for adsense and it’s not appearing here. Plus, I play yahoo online games every morning with my coffee and it runs a Java Applet for the TextTwist game and I don’t get it the warning there. Yet, when I go to Mail or the main page, I do get it. So, it would be a very strange javascript that only certain sites are using that would be a culprit.

Additionally, why don’t all the pages on a specific site issue the warning if the same javascript code is being used?

I surfed tarot.com this morning without an incident until about 6 pages in. But I was reading various pages for a few minutes on each page, and they have rotating ads that constantly refresh.  So obviously, it’s a specific ad that is spreading this. That’s all I can figure so far.

Reports are coming in from users that they receive it at various page locations on:

• Tarot.com
• Business Week
• Yahoo
• Yahoo Mail
• Reuters
• The Register
• Dictionary.com
• CNN.com
• InfoWorld.com

If you’ve found others not listed here, please feel free to add to the list by commenting!

We will continue to keep you updated as we learn about this.

However, I can tell you that the warnings have slowed down. I’m not getting them as often as I have in the past day or two.

• Could it be that the ad companies have realized their servers were breached and are taking steps to fix them?
• Could the ad companies have found the advertiser responsible?
• Do they even care?
• Has the Anti-malware providers updated our protection to protect us?

Your guess is as good as mine because no one is talking!

One thing this does do, is make us website owners rethink this whole adsense thing as a way of making money. Do I want to make piddly pennies per day at the risk of serving my readers bots? I don’t think so!

And as Internet users, it makes us rethink how valuable sites that are serving up this risk to us really are! Isn’t our pc security worth more?

Something to think about in the days ahead – for sure!