The RUBotted Saga Continues
I thought this issue might have been a false positive because of finding the IP address belonging to TrendMicro. (See: http://mice.org/blog/i-found-the-bot/)
But over the weekend, I’ve heard from many of you that you are experiencing a shut down of your AV software on reboot, or after you shut down and restart the next morning. This is a very disturbing trend.
I’ve noticed myself that when the pop-up appears, I’m getting complacent about just clicking the “No” button and ignoring it. This is also disturbing. We should never become complacent in our security.
I still stand by my original post that there is something being served us through the ads on these sites. That is the only logical explanation I can come up with. But what? And how?
The pop-up states that, “Someone has launched malicious software on your computer by remote control.”
So that started me thinking. What if….. what if something in an ad is triggering the launch of some Microsoft service? Like their lame a** Malicious Software Removal Tool?
Here’s what I did…. I took a copy of my task manager and all the services running in the background. I also opened my Spybot Search and Destroy in Advanced Mode to see if there was anything like MRT running inside the services process. Knowing my baseline of what’s running, I would then try to get the popup again from the known pages that I’ve visited and received it.
If this theory is correct, something should should up in my running processes immediately!
So, I closed down unnecessary services running in the background and this is how my Task Manager reads currently.
(Click for larger view)
(Click for larger view)
I have watched the running processes change and the only thing I’ve seen so far, is that the services.exe pops up with a high CPU commitment when the RUBotted pops up. I cannot see through my running processes in Spybot where there is any other process being activated at the same time.
I really don’t think this is totally benign – or harmless – at this point. I think this is a serious problem and we need to get to the bottom of it. Especially since people are reporting in with their AV being shut off. This is not a harmless action by any means!
Please be diligent. Check your AV software to make sure it’s running repeatedly throughout the day.
In the meantime, I’m going to turn on my test machine and see if I can nab this bad boy!
Debbie
7 Responses to “The RUBotted Saga Continues”
Leave a Reply
 |
 |
 |
|
||
 |
|
 |
|
||
Y’know… I first heard of RUBotted when Lifehacker featured it. I wonder if calling this to their attention might help? Even if Trend Micro isn’t responding to your emails, I bet they’d respond to one from the Lifehacker staff.
Reply
Maybe they would, maybe they wouldn’t. Thanks for pointing out how much more important you feel lifehacker’s site is than mine. I feel so much better all ready! Do you work for them? (Sorry if it sounds sarcastic. I find it difficult to word it any differently.)
Guess I need to close down shop since Lifehacker has it covered.
By the way, if they are so great, why did you stop here? Just wondering……
Debbie
Reply
Debbie,
That wasn’t what I was saying at all. I’ve found your coverage of this completely terrific, and your troubleshooting skills are just amazing. What I meant was that I discovered RUBotted *in the first place* several months ago because of an article they did on it, which means that probably several thousand other people did too… and those people are probably all having the same problems we are.
I thought that perhaps because they’ve sent so much traffic toward Trend Micro that the company would be a little quicker to respond if they got a note from some Lifehacker reporter who said “Hey, several thousand people we sent to your site are having trouble with the thing we told them to download from you” than they would if you or I or any other individual user sent them an email. That’s all I meant. Sorry for the miscommunication.
Reply
Facebook User reply on November 24th, 2008 6:11 pm:
@Molly B, Please forgive my jumping to conclusions! Please? I am so sorry I was so rude to you. I feel just horribly now. Please, tell me you accept my apology because I feel horrible – absolutely horrible now!
Debbie
Reply
That’s okay. I suspected that your brain was probably a little bit fritzed from spending hours trying to figure this thing out.
I’m so impressed that you tracked it all the way to the latest Flash update–great detective work!
A few months ago I had a problem with embedded video in Firefox. I found that instead of updating Flash, I had to roll back to the previous version. That fixed it temporarily, and by the next automatic Flash update they had patched it. That issue was a problem with the codecs installed in the Flash update, so it wouldn’t be the same thing as this, but I do wonder if rolling back instead of moving forward might do the trick? I might turn RUBotted back on and try it (I turned it off when HouseCall and Spyware S&D both came up negative). Of course, that can open up whole OTHER security issues… sigh.
Please don’t worry about your previous post–we all have off days.
Reply
Facebook User reply on November 24th, 2008 10:58 pm:
@Molly B, Thank you so much. Your kindness is overwhelming and deeply appreciated. This Thanksgiving, I will give thanks for visitors like you!
Stay safe! Debbie
Reply
Debbie!
I do like the fact that you stated check the av software and it’s something a lot of people take for granted. If it’s one thing i’ve noticed in XP and have exploited myself, is if you run a function from any Language (mostly VB/C) to TerminateEXE(“norton.exe”) you WILL notice that it leaves the application in the systray. The systray in microsoft is programmed badly, as well. Hovering your mouse over it will also let you know if your av software is engaged.
Another malicious trick I’m sure someone is using somewhere is to {yes i know up to my old tricks} grab a screen shot, kill the AV software, reload systray and inject a bogus anti-virus application at the bottom. Is it running, yes! Is it protecting you? No! And, this is a trick that most users aren’t aware of.
I’m going to follow these details closely and start this up in my VM. I will do the testing in both windows and in linux. Maybe i’ll get braisen and download the entire web site locally. To answer your requests; i’m SURE the ad networks are well aware of the problem and are keeping it on the hush. Why? Targeted sales that turns into more cash, that’s why! When i look into this, i’ll try a few renditions of security to see where it lays best. And, i’ll send you the article to post to help everyone sustain some form of protection.
I’ll start with JS and lead myself up to Flash. Something tells me i will also be leaning towards ActiveX as well.
Reply