What Ad Server is Dishing Up Malware and Bots?
Folks, I think we have a problem, right here in Internet City. Ok, that’s a bad play on words from the Music Man song. But I am VERY SERIOUS. Or, as the saying goes, I’m as serious as a heart attack!
I’m greatly disturbed by something that’s happening repeatedly and with great regularity!
Every morning I go to a website: tarot.com to read my horoscope and other tidbits of information. My housemate visits there too on weekend mornings.
First, let me preface this by saying that over the past several months, tarot.com has added a slew of Google ads (adsense) and other ad delivery services to their site. Their site content is free so I do understand the need to generate income, believe me I do!
The reason I’m telling you this is because there seems to be a direct correlation between the amount of ad content and the quickly spreading malware that we are seeing recently.
Just now, as I’m writing this, I received a call from another person that told me the same thing happened to him on Yahoo Mail. I immediately went to Yahoo and received the exact same pop-up message again! This botnet thing - whatever it is - is disabling the Antivirus programs too!
Last weekend, while at tarot.com my housemate received the dreaded Antivirus 2009 pop-up message while visiting their site. Of course, he knows how to exit that without becoming infected with the Trojan, and I alerted their support immediately. They said they would investigate. To date, I have not received that particular message and I’ve heard nothing further from the folks at Tarot.com.
This morning, I’m visiting there and I get my Trend RUbotted pop-up stating that a bot was found.
(Click to view larger image)
So, I immediately close my browser and start the scans. Here’s the interesting part, every scan came up negative.
(Click to view larger image)
(Click to view larger image)
And even my RUBotted log doesn’t even acknowledge a threat! WHAT????
(Click to view larger image)
I even went so far as to scan with Trend’s online Housecall! And no threats found. WTF?
(Click to view larger image)
Now, I shut down - totally shut down because something is deeply wrong here.
I boot to the following problem with TrendMicro Internet Security Pro:
(Click to view larger image)
My Trend is disabled and I cannot restart it.
Now I run Spybot Search and Destroy. I only find a few measly cookies in Firefox and a bad saved bookmark that I didn’t know was dangerous!
(Click to view larger image)
Now I’m perplexed! What in the heck is going on????
Now, I run a wireshark packet capture and I go back to Yahoo Mail to see if I can duplicate the bot message. And sure enough! There it is again!
But this time, I have an IP address!
150.70.89.33
WhoIS says this:
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
So now I go to the Whois for APNIC (http://wq.apnic.net/apnic-bin/whois.pl) and find this on the IP:
inetnum: 150.26.0.0 - 150.100.255.255
netname: JAPAN150
country: JP
descr: Japan Network Information Center
admin-c: JNIC1-AP
tech-c: JNIC1-AP
status: ALLOCATED PORTABLE
notify: hostmaster@nic.ad.jp
mnt-by: MAINT-JPNIC
changed: hm-changed@apnic.net 20070824
source: APNIC
role: Japan Network Information Center
address: Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
address: Chiyoda-ku, Tokyo 101-0047, Japan
country: JP
phone: +81-3-5297-2311
fax-no: +81-3-5297-2312
e-mail: hostmaster@nic.ad.jp
admin-c: JI13-AP
tech-c: JE53-AP
nic-hdl: JNIC1-AP
mnt-by: MAINT-JPNIC
changed: hm-changed@apnic.net 20041222
changed: hm-changed@apnic.net 20050324
changed: ip-apnic@nic.ad.jp 20051027
source: APNIC
Surprise, surprise! Japan is at it again!
So, now I’m peeved to say the least. Bastages!
I grabbed the Yahoo mail page source code and the Tarot.com source code. There has to be something duplicated between these two pages that are displaying the same ad code that is allowing this to get in. What is it?
Looking at both pages, I found the advertising code and Tarot.com is using DoubleClick (ad.doubleclick.com) while Yahoo is using the ad.yieldmanager.com which, after research I tracked down to Right Media.
The tarot.com ad code:
(Click to view larger image)
The Yahoo Mail page ad code:
(Click to view larger image)
I typed in yieldmanager.com since the ad.yieldmanager.com is a sub-domain of yieldmanager.com and I received this result:
(Click to view larger image)
So, I went to the right media site and it turns out yieldmanager is a Yahoo company! Imagine that?
(Click to view larger image)
So, here’s what I did. I blocked ad.yieldmanager.com in my Firefox cookies and I blocked ad.doubleclick.net.
(Click to view larger image)
You can also do the same in IE if you are using that. If you need directions on how to do this, contact me.
Now, here’s my take on this situation. There is one of several, if not all of the following situations going on here. The possibilities are:
- The same malware creator is advertising on all the advertising networks so (s)he can push the malware.
- All the ad servers have been compromised.
- All the ad servers have been injected with a code that will serve up this malware.
Either way you look at it, it appears that the advertising networks are clueless that they are putting all users at risk in their effort to generate revenue.
If you would like a copy of my wireshark packet capture files please contact me and I’ll send them to you.
If you are an advertising network and you would like testing done on your servers, please contact us to get a quote for those services. We do penetration testing - remotely and on-site.
If you are a antivirus, malware, or firewall software provider and would like all our files, please contact us. (Please note that our forensic files are not given unless we receive acknowledgment for our findings. That includes our partners: Trend Micro and Symantec.)
And to those of you who are STILL NOT USING IT, I highly suggest getting the FREE botnet tool from TrendMicro located here: http://www.trendsecure.com/portal/en-US/tools/security_tools/rubotted
Your PC Security is ultimately your responsibility! None of these manufacturers are going to come and clean up your machine for you. You’re stuck cleaning up the mess after they fail to protect you. So, I would suggest you start protecting yourself and learning how to do that!
ADDED: 2:30 PM CTD, Business Week just gave me one!
(Check it out at your own risk! http://images.businessweek.com/ss/08/10/1023_btw/index.htm)
Tags: adsense, bot, botnet, botnet detection, bots, doubleclick, google, malware, pc security, penetration testing, right media, rubotted, Security, spybot search and destroy, trend, trendmicro
November 21st, 2008 at 12:00 am
I think I’m having the same problem.
I’ve had RUBotted on my PC for over 6 months, and have never received a warning from it until today. Earlier, it popped up with the same message you received, and has popped up a few times since. When I open the console, it gives me the same “No Bots Found” message and has zero entries in the log.
I ran scans with AVG, Spybot and AdAware, none of which found anything. I generated a HijackThis log and checked it on one of the log analyzer sites… nothing unusual there. I ran Avast’s anti-rootkit scanner… nothing there either. I’m currently running the online Housecall scan, but I doubt it will find anything.
Needless to say, I’ll be watching this issue closely. Thanks for keeping us up to date on this.
[Reply]
November 21st, 2008 at 10:57 am
I too have been having this issue as of November 20th, 2008, exactly as described by emcoffey3. I’ve had RUBotted on two laptops for almost a year, and yesterday both of them got the bot alert for the first time ever. All scans (Housecall online, Trend Micro Internet Security Pro, and even RUBotted) turn up empty. All temp files have been cleared from my PC, yet the alert keeps coming up. It even comes up when I disable my wireless radio from picking up connections.
If you’ve had this happen to you, please comment on it here so that we can have a record of your story. Maybe with all of our experiences recorded here, we can trial-and-error our way through this. Glad to know I’m not the only one having this issue.
[Reply]
November 21st, 2008 at 3:01 pm
I just got the bot alert again, this time while visiting dictionary.com. I looked at the page source and found these two ad servers:
http://iacas.adbureau.net
http://partner.googleadservices.com
Someone who knows more about getting info from page sources might be able to determine more than I could, but I did want to share what I’d found. Two more entries into my list of blocked sites!
[Reply]
Admin reply on November 22nd, 2008 2:43 pm:
@Lee, Thank you so much! As you may have seen, I’ve added your additions to the update on Friday’s Quickies! Your help is greatly appreciated. Debbie
[Reply]
November 21st, 2008 at 3:51 pm
[...] Most Read PostsWhat Ad Server is Dishing Up Malware and Bots? (56)Quickie Friday Post! (24)Why is Microsoft REALLY Investing in Novell? (23)Batton Down the PCs - [...]
November 21st, 2008 at 8:50 pm
I’m having the same problem with it. I’m downloading Avast at the moment but I ran a scan with AVG earlier and it didn’t show anything either. I’m wondering if a recent Microsoft Update is giving it a flase flag? Anyone checked that possiblity out?
[Reply]
Admin reply on November 22nd, 2008 2:45 pm:
@Ddraig, No, it can’t be the M$ updates. My machine is doing this and I recently updated. My partner’s machine is doing it and he has yet to upgrade. So the updates are not in common here. But good thinking!
[Reply]
November 22nd, 2008 at 4:54 am
I’m experiencing the same thing. RUBotted has been a silent utility in my systray for ages… until a couple days ago, and now it won’t shut up. Same behavior: It gives me a warning, but no amount of scanning by any antivirus/anti-spyware/anti-adware programs turn up a blessed thing. Using Wireshark, I have discovered that exact same IP address (150.70.89.33). So, I’m fairly perlexed. Is this a real threat? If so, why will nothing find it and clean it? Not even a formal scan by RUBotted finds it! If I reformat my PC, what’s to say it won’t come back again in a day or two.
So far, I find no suspicious processes on my PC, so I’m not sure if anything harmful is actually happening or not. Still, I’d like to get rid of it. Just seems impossible to do so.
[Reply]
Admin reply on November 22nd, 2008 2:49 pm:
@Ray, Actually, three people have reported, and myself in addition that at the first sign of this, the AV software was turned off by this thing. So I don’t believe it’s a total false positive. It took me quite a while to get my Trend turned back on in fact.
Of course much of the Internet Security elite are silent on this as well as the advertising companies. (I sound like Palin don’t I? :-P) So, until someone tells us whether or not ad servers have been compromised or what, we can only keep guessing.
Thanks for your comments!
[Reply]
Ray reply on November 22nd, 2008 3:04 pm:
@Admin,
Well, I can certainly reformat my hard drive and install ‘doze from scratch (I’ve been making preliminary preparations to do so) , but I would be very upset if I go through all that and after a day or three the problem returns. I don’t consider myself particularly lax when it comes to security on my PC. I’ve always had a firewall (ZoneAlarm, primarily), anti-virus, Ad-Aware, Spybot Search and Destroy and so on. RUBotted is, uh, kind enough to alert me that there may be a bot, but apparently there is zero defense against it and no way to clean/resolve it.
So far my AVG Antivirus is working, though auto-updates don’t seem to be successful. Manual updates appear to do OK.
Wireshark shows that my PC is very chatty with 150.70.89.33 (or vice-versa) and I have no idea how to stop that.
Anyway, thank you for bringing this up here at your site. Finding information on it is paltry at best, though I also found some posts at AnandTech.com forums. I’m frustrated, but I guess I’ll just have to live with it. And, sorry for the long post.
[Reply]
Admin reply on November 22nd, 2008 3:32 pm:
@Ray, I’m concerned that your PC is very chatty with 150.70.89.33, do you have a port number? You could actually block it in your ZoneAlarm by creating a custom rule. Do you know how to do that? Also, do you know how to do netstat -an from the command prompt? That would tell you the port and if that IP is connected.
Let me know if you need help.
Debbie
Ray reply on November 22nd, 2008 3:42 pm:
@Ray,
(Yes, I’m talking to myself!)
Another update which you may find useful or annoying: I’ve installed Wireshark on my Mac and I’ve had it running for about a half hour now. So far I see no communication with 150.70.89.33. In fact, the traffic is quieter overall on my Mac. I have no idea if this has any relevancy at all to the issue, but I thought I’d mention it anyway.
[Reply]
Admin reply on November 22nd, 2008 4:21 pm:
@Ray, I found the answer but I don’t know why.
http://mice.org/blog/i-found-the-bot/
Debbie
[Reply]
November 22nd, 2008 at 2:41 pm
[...] Most Read PostsWhat Ad Server is Dishing Up Malware and Bots? (101)Friday’s Quickies (39)Why is Microsoft REALLY Investing in Novell? (28)Batton Down the PCs - [...]
November 22nd, 2008 at 3:25 pm
[...] Most Read PostsWhat Ad Server is Dishing Up Malware and Bots? (104)Friday’s Quickies (41)Why is Microsoft REALLY Investing in Novell? (28)Batton Down the PCs - [...]
November 22nd, 2008 at 4:00 pm
“netstat -an” results, greatly trimmed to preserve your sanity:
Foreign Address State
TCP 150.70.89.33:443 TIME_WAIT
TCP 150.70.89.33:443 TIME_WAIT
TCP 150.70.89.33:443 TIME_WAIT
TCP 150.70.89.33:443 ESTABLISHED
TCP 150.70.89.33:443 ESTABLISHED
So, I gather it is using port 443? Or, am I looking for the port which follows my PC’s IP address (that port number, if it was a port number, varied, by the way)? I don’t know how to block a port in ZoneAlarm, but I can look into it.
[Reply]
November 22nd, 2008 at 4:28 pm
I did another lookup on that IP address, and here are the results:
IP address: 150.70.89.33
Host name: rbt.trendmicro.com
150.70.89.33 is from Japan(JP) in region Southern and Eastern Asia
Now I’m going to turn off RUBotted and see if that change is reflected in Wireshark results .
If nothing else, this experience has opened my eyes to some fun new tools, such as Wireshark. It’s somewhat fascinating to watch it. Yes, I’m a geek.
[Reply]
November 22nd, 2008 at 5:28 pm
Well I uninstalled AVG ( Seems to be common amonst many of you out there with this issue? ) and so far I have not had a popup. I installed Avast and everything seems to be good. Avast did find Win32.CTX which apparently from research could be related to the fact that I used to run Panda Anti-virus for a year or so. I’m beginning to think it was the AVG causing this… is everyone here running AVG?
[Reply]
Admin reply on November 22nd, 2008 6:19 pm:
@Ddraig, No, we are all running different AV software. Did you see my post that I found the bot?
http://mice.org/blog/i-found-the-bot/
[Reply]
Ddraig reply on November 24th, 2008 8:31 am:
@Admin, Thanks, I missed that although looking at it I am thinking this IP is what RUBotted uses to talk back to its server. This would explain the 443 SSL Encryption on the communication. Also as a side note it isn’t browser specific, and I don’t think relates to a browser at all, opened up IE this morning and it popped up. Remoted in to my computer from work, no browser up yet and got the message. I use remote desktop, as well as logmein so not sure if either of those are setting it off, or if RUBotted is detecting 3389 (Remote Desktop/Terminal Services Port) open or not. I’m beginning to wonder if this isn’t Trend doing some type of false flagging.
[Reply]
November 24th, 2008 at 9:58 am
[...] Most Read PostsWhat Ad Server is Dishing Up Malware and Bots? (145)I FOUND THE BOT! (88)Friday’s Quickies (59)RUBotted Notices are Slowing Down (48)Why is [...]
December 8th, 2008 at 1:55 pm
[...] wanted to establish a time frame of the pop-up so I went back to my original, first post and found the date to be November 20th. So let’s assume that the pop-ups started around [...]