Ramblings, meanderings, rants and discoveries.

Saturday, July 24, 2010

RU Botted? Dunno RU Working?

A few weeks ago I logged into TrendMicro for my weekly Housecall run. I noticed a Beta Utility call RU Botted. The copy pointed out the possibility of your machine being used as a server of files or in DOS without your knowledge.  Ok, so it is feeding into the present paranoia of users on virri and worms, but it is also not a bad idea to check.  Many virus checkers do not check for bots so I decided to DL this and give it a try.

Download and setup - Quick and painless as was the installation. Great job! Am not enamored of it setting itself to run at startup, but I can change that. It would be nice to have a when "connected to the internet" option though, because I still turn the modem and router off and work offline.  But it is beta and free so I am not complaining.

This seems to be a daemon. It does not seem to interfere often or eat too much ram (488K according to system). It is very quietly idling in the background until it detects bot like activity. Then it logs it and pops up a screen informing the user that activity has been detected, do you want to go to TrendMicro's site, run Housecall and check it?  Now is when I had a few issues.  It took me to Housecall, asked me if I want to dl it etc.  Then the launcher failed when I trird to run it. So I turned OFF RU Botted, closed the browser. At this time  I noticed there was a separate window open for Netflix. I muttered about damn marketeers. closed that,  opened the browser (Firefox,  Trend like most companies refuse to admit Opera and Chrome even exist.) Downloaded the file, install and voila, it worked!

I picked up a book to read.   Housecall finished quickly and returned a  there is nothing message.  Odd.  I  checked the log. It had an  entry of a DNS inquiry to a malicious site. How..  informative. From where, what site and what called it? I shrugged it off, decided maybe it was a probe, but firewall did not go off.

I go on my merry way, except next day when I fire up machine it gives me the same message.  I think this was because there is still something in the log. I opened the log and sure enough two entries said  "Detected DNS query of malicious domain." No further information.  I would like to know what domain, what app made the call  perhaps even what port. I checked my firewall logs. No outgoing. and as a matter of fact nothing at the exact time logged. That sort of makes sense. If the firewall had caught it it would have stopped it and RU Botted MAY not have gotten a chance to spot it.

Then I got another. Same error, different site, then another from my own site. Then another. I look, sure enough Netflix is open again in most cases.

At this point I have no clue if the app is working or not.  I will be installing a different bot watcher and putting it through its paces.  In the meantime, anyone know anything about this? If you are interested in trying it be my guest, but there is presently no way to tell if it is working, and honestly - until they get the bugs out I would not recommend it at all.