Trend Micro RUBotted alert!

Hi co-malware fighters,

How to follow up on the following alert I received from RUBotted: “Detected DNS query of malicious domain”,
this alert came as I used Firefox to search specific code changes in the Mozilla repositories.
I did a full scan with DrWeb’s CureIt, a SAS scan and a MBAM one nothing there, analysis of a HJT also did not show up any out of the ordinairy. What check next?

polonus

The first thing I would have been asking is what was the domain it considers malicious and having found out what that was check if it truly is malicious. e.g. what is to say rubotted got it right.

If it doesn’t report the domain it considers malicious I would say its worth is limited or there is no way you can test its accuracy/blacklist, etc.

Hi DavidR,

Have no idea what triggered it, but it then offered a free Trend Micro Housecall scan.
As it is all green now, I think not much of the incident,

polonus

I hate those type of alerts it makes me think of the rogueware that has fake alerts, especially when they are accompanied with have a free scan. Not that I believe this is what Trend is up to but it does follow that familiar give the person a headache and sell them the Aspirin (headache tablets).

When I updated my copy of Firefox 3.03 to 3.04 recently, PC Doctor (starter edtion) alerted me of adware.Zango something. I thought it was just a fp & allowed it.

Do you think these two fp’s could be related. Maybe RUBotted and PC Doctor are detecting the same fp?

Hi rdmalloyjr,

You were lucky there, because you got a lead with at least a name of the PUP (possible unwanted program):
and you better read this: http://www.spamlaws.com/zango-adware.html
The lines are drawn thin here the one spyware solution will flag some the other again others undesirable adware, but there is not a “general window of protection” so to say, I had nothing more than a detected DNS query of some sort (maybe a subdomain), and then this is also questionable because at the time all scripts to run inside the browser had been blocked by NoScript, leaving only the possibility it came through one of NoScript’s trusted sites, e.g. one of the Mozilla’s code repositories.
What I could do is open up EventLogExplorer for an extra clue, then here is a worst case scenario if a Fw does not protect: http://forums.pcpitstop.com/index.php?showtopic=119903

What I found in this instance in yesterday’s logs is LSA process (Local Security Authority) a kSecDD and scecli logon process negotiation for CHAP - could have been because of a code message program that others can add to or a try to CHAP cheat. Pure Speculation so to speak, I think this connection was flagged: 80.67.86.22:53 made by the Minefield browser,

pol

Full scans with mbam free, SAS free, ESET online scanner & avast! don’t find anything, it’s a fp.

It’s just something in Firefox &/or Mozilla repositories that’s triggering fp’s in PC Doctor & RUBotted.

I don’t like PC Doctor, it only finds fp’s. It’s been a while since I’ve tried PC Doctor, so I thought I’d give the Starter Edition a try.

I don’t care for PC Tools software. I used to like their fw, but the more it advances & passes more fw & leak tests the more problems it has.

I prefer a fw that is just a fw. I hope the avast! Personal Firewall won’t be a “jack of all trades”.

Hi DavidR,

I too have this but I can’t get it back green, everytime I open Firefox the popup comes on to tell me I have a bot and then Detected DNS query of malicious domain Eveything I have run to try to find this bot including HouseCall tells me I have no threats on my computer. You say you would have been asking what the domain was, since I’m new to all of this, how would you do this?

thx for any help you can offer me,
nanajana

Are you able to capture an image of the pop-up, e.g. is the the Trend Micro RUBotted alert that this topic is about ?

Though even if it were then it is strange that it would be every time you open firefox, where is firefox trying to go when you open it ?

It could be that you have malware on your system that is trying to get to a site to download more malware and that is being detected by whatever is doing the detection (which isn’t clear yet).

There have been a number of other anti-spyware tools and some on-line scanners mentioned above have you tried scanning your system with any of them ?

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.

  2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

On-line Virus Scanners and other useful Links Security-Ops.eu.tt New on-line scanner http://www.eset.com/onlinescan/

You could also use an on-line scanner to confirm, established connection to the on-line scanner of your choice and just before you do the scan, pause Standard Shield, enable after completion.

Hi DavidR

Yes it is Trend Micro RUbotted is what this is about. I just went into Explorer and it didn’t come up and also Firefox and it didn’t come up so maybe it just seems like its everytime oops it just came up again, right after I closed Firefox and then a second time right away so maybe one for Firefox & Explorer, each go to my homepages, different on both browsers and neither try to direct me anywhere else, below is exactly what the popup says

Bot Found

Someone has launched malicious software on your computer by remote control.

You can use Trend Micro HouseCall to clean your computer for free.

Want to open HouseCall now? as I stated I did & no threats found.

I will follow your instructions since I haven’t run any of those, hopefully they work with Vista,

thx,
nanajana

Both of the programs mentioned work with vista.

Hi DavidR,

Okay so I ran mbam this is the gist of what logfile said:

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) → Bad: (NOTEPAD.EXE %1) Good: (“%1” /S) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) → Bad: (NOTEPAD.EXE %1) Good: (regedit.exe “%1”) → Quarantined and deleted successfully.

I removed both am going to try to install Superantispyware, was having a problem but hopefully I have figured that one out and it should install now.

nanajana

OK, in this case it doesn’t actually delete then but just corrects a context error in the registry, but it does keep a pre modified version in the quarantine, just in case.

So does this mean anything to me, or its all just taken care of? I’m ready now to run SAS, Also I was telling my sis all about this and told her to run RUbotted for her own protection, exact same thing is happening to her!

nanajana

Well I think you can see from this topic that it isn’t particularly reliable.

When you do get a problem reported there is so little (read zero) information to try and analyse if it is good or bad and that for me is a failing. Nothing is ever going to be 100% and false positives are a fact of life with security programs, but they at least have to give enough information so you can confirm one way or another.

When all they offer is a scan by housecall and to me that is very close to rubotted being used as a tool to promote trend micro’s housecall and their product range. Though that unethical behaviour is unlikely to be the case, but the code is certainly sloppy when you get insufficient information to investigate. For me the hassle and concern that you are experiencing far outweigh the benefit of having the tool in the first place.

Trend Micro RUBotted is a BETA program

I ran SAS got 1 hit adware threat low as it is a tracking cookie. I have spent way too much time on this so I’m taking it off my computer since it is the only thing that finds this bot, I have run housecall 6.6, trend micro Pro 2009, avast home edition, hijack this & sent to my techie nephew who could really find nothing, allowed him remote access to my computer, nothing, did system restore, same old same old, that was a pain because of course i had to reload everything to run them all again, still nothing (except tracking cookies) SAS & mbam, all of these were thorough scans so now I’m removing RUbotted and forgetting about it unless something else happens!

Thanks for all your help, I really appreciated it! If anything else comes along please feel free to contact me. I’ll also be watching to see if anyone else has this problem besides polonus.

nanajana

You’re welcome.

As I said rubotted, too much grief not enough grin ;D

Hi nanajana,

Here is what I found for Nov 22 last : http://163.28.49.5/cgi-bin/cachemgr.cgi?host=localhost&port=3128&user_name=&operation=ipcache&auth=

polonus

Hi folks! I have covered this subject extensively since it’s inception last week here:
http://mice.org/blog/what-ad-server-is-dishing-up-malware-and-bots/

The popups are slowing down, but they are still showing up.
I’m writing another post today because I’m hearing this is actually shutting down peoples AV software. I’ve heard it turn off AVG, ZA, (no AVAST though! ;D ) and TrendMicro.

Although I had found the IP address of the related popup, it’s not accounting for what’s triggering it.

I honestly believe there is a bot in the ad servers. And until anyone proves it to the contrary, that’s my stance on it. Be careful! I don’t trust this thing.

I hope this helps.
Debbie