Technical Tidbits™

Posts Tagged ‘trendmicro’

After the many responses from readers I did some snooping and have some possible causes of this botnet pop-up issue.

Now, I want you to bear with me on this one because I’m going to take a chain of events to make a connection.

I wanted to establish a time frame of the pop-up so I went back to my original, first post and found the date to be November 20th.  So let’s assume that the pop-ups started around that time (plus or minus a week to be on the safe side).

What’s happened in and around that time frame?

• Microsoft issued a critical update to a Vulnerability in Server Service Could Allow Remote Code Execution (958644): Microsoft Security Bulletin MS08-067, October 23, 2008
• Microsoft issued a important update to a Vulnerability in SMB Could Allow Remote Code Execution (957097): Microsoft Security Bulletin MS08-068, November 11, 2008
• Microsoft issued a critical update to Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218): Microsoft Security Bulletin MS08-069, November 11, 2008
• On November 25, I issued the Bot Update saying it was Flash because there was a flash update issued. (We now know that flash is NOT the issue.)
• On November 25, Trend’s Malware Blog reports on a newly found worm, that may be the precursor to a new botnet that’s exploiting the Microsoft MS08-067 Vulnerability!
• On December 6, Sun Issues 13 updates to Java according to a new post on the Trend Labs blog!

Now, follow with me here a minute. Remember I’ve been saying that the ads on the websites are using JavaScript inside JavaScript? And other readers have reported the pop-up of the Java in their toolbar along with the RUBotted pop-up.  Whereas the sites I’ve been on, already have Java running before the RUBotted pop-up.

What if, this new botnet is being delivered through – or trying to be delivered through – the ad servers?

Now take into consideration the fact that ads are everywhere. What better way to access the millions of users?

And, what if this isn’t just your average, run of the mill threat? We’ve seen blended threats before. What if this takes the threat up a few notches?

The Microsoft Vulnerability cited in MSO8-067 that Trend Labs found being exploited as a precursor to a new botnet is:

The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit.

What Microsoft doesn’t tell us is EXACTLY what that specially crafted RPC request is!

For those of you who do not know what RPC is, it’s the Remote Procedure Call code that allows you to do millions of things on your computer. For example, say you want to connect to a remote database somewhere, the RPC service is what calls (code language for requesting a connection, so to speak) the remote server to make the connection.

If you right click over your MY COMPUTER icon and choose MANAGE, you can navigate to Services and Applications and see the Services running on your computer. Switch to the Standard tab and you’ll see the alphabetical list of every service running and stopped on your computer. Find the Remote Procedure Call (RPC) service in the list. Either double click it to open it or right click and choose properties. Look at the Dependencies tab.

The Dependencies are all the other programs and services that need to use this service! (Covered in our Advanced PC Security course, by the way!)

Now, add that to the multitude of mashups, web apps, and other web vulnerabilites, like cross-site scripting and the like and you’ve got a recipe for disaster!

I want to go on record stating right here, right now, that I believe Ad servers are serving up a new kind of bot that we have not seen the likes of yet!

Now, let’s add to this the more detailed reporting on part of this (after much digging, I might add) explains how the code could be misconfigured. For those of you more technically oriented, see this link: FIO02-C.+Canonicalize+path+names+originating+from+untrusted+sources and this link: More detail about MS08-067, the out-of-band netapi32.dll security update

Now, why am I so sure that this is going to come through ads?

Consider this…. most ad services allow you to remotely host your advertising feed content. That being the case, who’s policing what’s being served? No one.  If someone was, why are we still getting the Antivirus 2009 and it’s variants being delivered through ads? My Gmail is full of malware that comes in through my alerts! So tell me who’s minding the store?

I really hope I’m wrong about this but my gut tells me that I’m not.

I think we are in for one heck of a new bot! Don’t say I didn’t warn you!

As always, comments welcome!

Are you getting sick of these posts? I know I am!

Anthony has decompiled the flash file I sent him and the file is benign – meaning it’s harmless.

So, this confirms what our readers have been saying – it’s not in the flash stupid!

That being said, where does that leave us?

Well, we’ve done some investigative work with other ads and sites that are not producing the pop-up but have some interesting activity in the pages and scripts. And that’s where we’re leaning now – PHP and Javascripts.

The PHP code in some pages allows for the rotation of content without the user knowing or being aware. The Javascripts nestled inside of javascripts, inside of javascripts provide for some very interesting behaviors.

As I’ve posted before, I think the advertising companies are clueless as to the state of their advertisers pushing malware and maybe it’s time we deliver the wake-up call.

We will, as always, keep you posted!

As a related side note: Do you remember a time when we all scrambled to get a pop-up blocker? Whether it was in the form of a toolbar or a browser add-on, we wanted the pop-up ads to stop.

Whatever happened with that?

I’ve noticed I’m getting pop-up ads again whether they pop-up on a page, pop-under a page, or roll back from the corner of the page. So much for pop-up blockers huh?

Last night I updated my Flash files and I was still getting notices as per my added notice on the post: A Possible Answer to the RUBotted Pop-ups?

However, this morning – upon boot – I’ve yet to receive one.  I also went directly to the main file disclosed in the previous post that was serving up the ad and I did not receive the pop-up.

At this point, I can only conclude that the flash was the vulnerability and it is NOT a glitch or bug in RUBotted.

Anthony Valente, my partner from Network Defense Solutions is working with the Flash file I sent him this morning to find out what it was in the file that might have been doing this. Only by understanding how the malware providers are pushing this crap on us, can we understand how to protect ourselves.

Stay tuned for more disturbing news about the ad servers from hell! You are not going to be happy when you hear what Anthony has uncovered through my initial research with the Antivirus 2009!

In the meantime, go update your flash players PLEASE!