Technical Tidbits™

Posts Tagged ‘spybot search and destroy’

Last night I updated my Flash files and I was still getting notices as per my added notice on the post: A Possible Answer to the RUBotted Pop-ups?

However, this morning – upon boot – I’ve yet to receive one.  I also went directly to the main file disclosed in the previous post that was serving up the ad and I did not receive the pop-up.

At this point, I can only conclude that the flash was the vulnerability and it is NOT a glitch or bug in RUBotted.

Anthony Valente, my partner from Network Defense Solutions is working with the Flash file I sent him this morning to find out what it was in the file that might have been doing this. Only by understanding how the malware providers are pushing this crap on us, can we understand how to protect ourselves.

Stay tuned for more disturbing news about the ad servers from hell! You are not going to be happy when you hear what Anthony has uncovered through my initial research with the Antivirus 2009!

In the meantime, go update your flash players PLEASE!

This situation has been driving me crazy for days now. I had to find an answer.

Well, here goes!

I opened up the code source for about three different web pages that were causing the pop-ups. (View Source and saved as a text file.)

I opened all three in my Textpad editor and started taking out the normal code that doesn’t do anything dangerous. That left me with nothing but Javascript on all three sites!

Okay, I know Javascript is not the culprit because I use it here, and I have visited other sites that use with no pop-up. So by deduction, javascript itself in a page is not the culprit. BUT! What is inside the Javascripts?

So, the wonderful thing about Textpad is I can highlight a bit of code that has a URL in it, right mouse click and it will give me the option to open the link in the browser. This delivered me every single .js file there was on all the pages.

Remember I said that this was related to ads? Well, I’m correct. But there’s something specific in the ads that are affecting the RUBotted.

In the many, many, many Javascript files I opened this morning and afternoon, there is a common denominator – FLASH.

These ads and the related JavaScript has gotten very complex. There is a javascript reference inside a javascript reference – sometimes going 3 levels deep!

On the Tarot.com page I saved that had given me the pop-up, I found this:

The code points to a source:
SRC="http://ad.doubleclick.net/adj/vsn.tarot/other;tile=10;sz=160x600;ord='+ord+'?"

When I went to the URL, it downloaded a file with no extention – named: other;tile=10;sz=160×600;ord=’+ord+’ – that I opened in TextPad also.  (To access the file yourself: othertitle.zip)

Here’s what was found that’s relevant. There is code inside here that points to the actual flash file and another Javascript file. AND! When I downloaded both, I got the pop-up. Here’s the images and I’ll explain what I don’t like about this.

Now here’s the code inside the file labeled flashwrite1_2.js.

What is this file trying to write to my flash application?

Now the reason I’m calling this into question is that I received a US-CERT Cyber Security Bulletin as I’m typing this up and investigating it.

There is a disclosed vulnerability in Adobe Flash player disclosed on November 17th just 3 days before I started reporting the pop-ups.

http://web.nvd.nist.gov/view/vuln/detail;jsessionid=02544ed65bc300e67b8695238afe?execution=e1s1

I’m going to update my Flash player and revisit these links and see if I still get the RUBotted pop-ups.

Then I need to get to some work that makes me some money since I’ve spent a lot of time on this. However, if you’d like to buy me a cup of coffee for my troubles, you can send me a tip through the tip jar on the right side or PayPal here.  

Hopefully, the problem is solved.

Debbie

NOTE ADDED 5:10 PM CDT: The Flash Update didn’t workat fixing the problem! Still getting the pop-up message! But that does not dismiss the fact that these ad codes are trying to write our Flash application. Anyone know JavaScript and know how or what it’s writing??

I was also going to reverse engineer the flash file mentioned in here but my flash version is too old. (Upgrade costs $199.00) By taking apart the flash file, we might be able to see if there’s something malicious besides the java code?

I thought this issue might have been a false positive because of finding the IP address belonging to TrendMicro. (See: http://mice.org/blog/i-found-the-bot/)

But over the weekend, I’ve heard from many of you that you are experiencing a shut down of your AV software on reboot, or after you shut down and restart the next morning. This is a very disturbing trend.

I’ve noticed myself that when the pop-up appears, I’m getting complacent about just clicking the “No” button and ignoring it. This is also disturbing. We should never become complacent in our security.

I still stand by my original post that there is something being served us through the ads on these sites. That is the only logical explanation I can come up with. But what? And how?

The pop-up states that, “Someone has launched malicious software on your computer by remote control.”

So that started me thinking. What if….. what if something in an ad is triggering the launch of some Microsoft service? Like their lame a** Malicious Software Removal Tool?

Here’s what I did…. I took a copy of my task manager and all the services running in the background.  I also opened my Spybot Search and Destroy in Advanced Mode to see if there was anything like MRT running inside the services process.  Knowing my baseline of what’s running, I would then try to get the popup again from the known pages that I’ve visited and received it.

If this theory is correct, something should should up in my running processes immediately!

So, I closed down unnecessary services running in the background and this is how my Task Manager reads currently.

I have watched the running processes change and the only thing I’ve seen so far, is that the services.exe pops up with a high CPU commitment when the RUBotted pops up. I cannot see through my running processes in Spybot where there is any other process being activated at the same time.

I really don’t think this is totally benign – or harmless – at this point. I think this is a serious problem and we need to get to the bottom of it. Especially since people are reporting in with their AV being shut off. This is not a harmless action by any means!

Please be diligent. Check your AV software to make sure it’s running repeatedly throughout the day.

In the meantime, I’m going to turn on my test machine and see if I can nab this bad boy!

Debbie