Catch the Bad Bots with Free RUBotted from Trend Micro

Bots, an abbreviation of “robots”, are good. Then again, Bots are bad. So which one of those statements is correct? In fact, both are correct – there are good Bots, and there are bad Bots.

Technology, in most cases, is neutral – it’s how we implement technology that establishes its value, and impacts any ethical questions that surrounds its use.

Good Bots include special software such as search engine spiders used by companies like Google, Yahoo and others to find links and content on the Internet. The Internet would not be, and could not be, the Internet we have come to know, and depend on, without these specialized Bots.

Bad or malicious Bots, in contrast, are designed to infiltrate computer systems with the objective of “herding”, or consolidating, systems into so called “Botnets”, whose primary aim is to create a network of compromised computers such as the infamous Storm Botnet (a P2P network), which according to many experts had the power of a supercomputer.

The power of the Storm Botnet was such, that it was responsible for 20 per cent of all spam email sent in the first quarter of 2008.

Many security experts believe that Botnets are responsible for approximately 75 per cent of all spam currently in circulation. Heavily promoted products on all of these Botnets tend to be male enlargement drugs, replica watches and sexually explicit material.

The strategy employed by the owners of these Botnets is particular ingenious, since there’s a strategic crossover with the products being promoted by all five of these Botnets.

Frighteningly it is accurate to say that these Botnets are getting increasingly larger every day. According to the U.S. Federal Bureau of Investigation, there are at least 1 million Botnetted computers in the U.S.

Worse, some security firms estimate that currently there are as many as 10 million Botnetted machines worldwide. In fact, some researchers believe that this may just be the part of the iceberg we can see above the waterline.

Not surprisingly such large numbers of infected machines have produced some of the most powerful networked computer systems in the world. It seems sensible to predict, that malware and phishing attacks from these Botnets can be expected to increase in frequency.

For your own benefit, it’s obviously important to keep your computer from becoming infected and becoming a part of this problem. Perhaps it’s less obvious that we all share a responsibly to help protect other computer users on the Internet from becoming infected.

The way to do that is to ensure that you are part of the solution; not part of the problem created by running an unsecured machine, (which means installing as many levels of protection as possible), or by engaging in unsafe surfing practices.

To help you keep your computer from being herded into a Botnet, Trend Micro has released a beta of RUBotted, a small program that watches for incoming Bot related traffic, which is worth considering adding to your security toolbox.

Fast facts:

Trend Micro RUBotted (Beta) is a small program that runs on your computer, watching for Bot related activities. RUBotted intelligently monitors your computer’s system behavior for activities that are potentially harmful to both your computer and other people’s computers.

RUBotted monitors for remote command and control (C&C) commands sent from a Bot-herder to control your computer. Additionally, RUBotted watches for an array of potentially malicious Bot-related activities, including mass mailing – a common activity performed by a Bot-infected computer.

RUBotted co-exists with your existing AV software, providing advanced Bot specific behavior monitoring. RUBotted does not rely on frequent, network intensive updates to ensure your computer’s continued protection.

Upon discovering a potential infection, RUBotted prompts you to scan and clean your computer.

Operating System requirements:

Windows 2000 Professional (Latest Service Pack Installed)

Windows XP Professional or Home Edition (Latest Service Pack Installed)

Windows 2003 Server (Latest Service Pack Installed)

Windows Vista (32 Bit with Latest Service Pack Installed)

Note from Trend Micro: RUBotted cannot protect computers running Panda Internet Security 2008.

Download at: Trend Micro


Filed under Anti-Malware Tools, bots, Don't Get Hacked, Free Security Programs, Freeware, Geek Software and Tools, Interconnectivity, Online Safety, Software, Spyware - Adware Protection, System File Protection, System Security, Windows Tips and Tools

26 responses to “Catch the Bad Bots with Free RUBotted from Trend Micro

  1. g

    I had a virus bot that i couldn’t shake about 3 months ago and trend micro housecall cleaned it out.

    Highly recommend trend micro.

  2. thank you, great topic

  3. I agree with you totally on that we need to become part of the solution; not part of the problem. I find that the majority of issues associated with intrusions of this type is associated with people’s “bad surfing habits”, as you have mentioned. Great writeup!

  4. I’ve never seen RUBotted before. I’m going to have to check it out. I’ll send you a link from my blog when I do.

    During the day I am a computer tech and I’ve definitely seen some PCs that could use this. Norton, that so many people seem to love, can’t get rid of most of them.

    Thanks you for the heads-up!

  5. Roy

    Hello Bill…Just got several popups from RUBotted like the one in your blog so connected to HouseCall. This is a free scan which then makes a charge to clear any resulting problems (the devil as usual is in the small print). This is a sneaky way of doing business in my view & since a recheck after each popup gave me “no bots found” I’m now really skeptical about TrendMicro.

  6. Realist

    Has anybody else been having problems with RUB the last couple of days? All of a sudden, I keep getting pop-ups like the “Bot Found” image in Bill’s post. But when I open RUB, it says no bots found and there’s nothing in the log.

    I’m assuming this is some kind of false positive, since I’ve been running RUB on this machine for months with no problem. Symantec Endpoint Protection says everything’s fine.

    Anyone else having this issue?

    • billmullins

      To all those who have experienced problems with ThreatFire in the last few

      ThreatFire has just been updated to version 4, and I assume that you have
      set it to update automatically. As a first step, open ThreatFire and go to
      Settings. Once there, adjust the Sensitivity Level to 3 (Default). In the
      meantime I will check with TrendMicro to see if they are aware of this

      Thanks to all of you for advising me of this issue. I will get back to you
      as soon as I have the appropriate information.


  7. xaveryptak

    I have exactly the same problem with the warning. All other security programs show clean scans and no problems.

  8. John Cletheroe

    I’m getting exactly the same symptoms as Realist. It seems to be associated with certain advert banners on some web sites, for example


  9. Toni

    I’m getting really frustrated with Trend Micro’s RUbotted – I’m getting the same false warnings. Please keep us posted on what Trend Micro has to say about this.

  10. John Cletheroe

    I’ve run Trend’s HouseCall, Lavasoft’s Ad-Aware, Microsoft’s Malicious Software Removal Tool, Malwarebytes’ Anti-Malware and F-Secure’s Blacklight. None of these detect anything malicious.

    I’m definitely no expert on this subject but those tests lead me to think that it this a false positive – unless anyone has reputable evidence to the contrary of course.

    It’s a pity that so far Trend have stayed silent on the subject.


    • billmullins

      Hi John,

      I have yet to hear from Trend Micro on this, but as you suspect, these are
      indeed false positives. I have done some background research, and It appears
      as if these false positives are common. Some suspect that the installation
      of the latest release of ZoneAlarm Pro, may be an issue. However, as far as
      I can tell, this is just speculation.

      I’ll keep you advised as more information becomes available.


  11. John Cletheroe


    Many thanks for the update.

    Just for the record I don’t use ZoneAlarm.

    I read a theory that the latest version of Adobe Flash Player might be the cause but I’ve no idea how valid idea that is.

    I’ve had far fewer alarms today, dunno if that means something’s changed?


  12. Cris

    Same to me, Rubotted popups and asks for a free online scan. The funny thing is that when I open Rubotted console and log, the log is empty. Quoting Roy, this is just a “sneaky way of doing business”.

  13. Been trying RUB. Believe we may be getting false positives. Only happens when surfing. Anyone know if there’s a log indicating the IP that RUB doesn’t like when it throws the warning. That would be very helpful to help trace the app that is trying to talk to that address. Better yet, it would be even better if RUB indicated both the suspect IP and app. Anyone know?

  14. I had the RUBotted alarm today immediately after launching the Web Publishing Wizard in WinXP to publish pictures to the Gallery app on my site. I’m pretty sure it’s a false alarm, but will do a complete scan soon..

    • Bill Mullins

      Yes, there is little doubt that RUBotted is subject to false positives. On
      the other hand – better safe……

      Thanks for the comment.

  15. Pingback: Night of the Living Computer* « Tech–for Everyone

  16. NNM

    I am pretty sure rubotted’s goal is NOT to protect your computer. It’s main goal is to get you to scan with their (lately buggy) free scanner, so that you might end up buying the full version.
    Actually, I am so convinced of this, I will not recommend Trend to anyone anymore. And my company will NOT be using it. If this is true, trend is now worse than most adwares or spam mails you may get.
    My list of decent antiviruses is getting very small. Worst 2 (by far): norton, bitdefender.; both act like viruses and I have seen them help viruses. I would rather click unknown.exe than run any of these.

    • Bill Mullins

      Thanks for the comment. I’m curious though, as to which AV’s you consider worth while.


  17. NNM

    – At the moment, AVG works ok… Except some problems with some desktop Acers (you have to boot into safe mode and uninstall to fix).

    – I did use Nod32 for about a year, and never had a single problem; but not used it for a while now, and things change (like bitdefender: went from being my favorite to being a bad copy of Norton, maybe even more invasive).

    – Testing Avast now, since AVG crashed a few computers at work. And I’m not fully satisfied either: it missed a virus (planted for test) and reported a fake (false positive?).

    I was a complete Bitdefender “fan” until I discovered their latest version. I made my company grab some licenses, which was a complete waste of money. Just not usable, especially if you work with IT/IS.

    (As a side note, I’m not the regular end-user. I have a very large home network, always have. But mainly, this is my job. If my work laptop is compromised, a lot of data is as well.)

    To summarize, I have no clue which AV to recommend at the moment. I just know which ones I don’t want, by elimination.
    1: NOT Bitdefender
    2: NOT Norton
    3: NOT Trend: don’t like their methods to get users. I can’t encourage their tactics.

    ~~AVG is ok, unless you have a “recent” (1-2 yrs) Acer desktop.
    ~~ Nod32, unless they fell into the same trap as bitdefender.

    I am going to test them all until I find one I like.
    So, right now, just please stay away from the evil Norton and BD!

  18. Lenore Costantino

    I purchased you program and for some reason it not letting me scan, who cah I speak with

  19. JShope

    I found this page looking for False Positives with RU Botted. I have since learned that my situation was not a false positive. If a threat has been identified and cleaned, you have to manually clear the R U Botted log for the message to go away. As noted elsewhere – open the RUBotted console (click on system tray icon) and then click the view log link. Then click the Delete link.