Thursday, April 14, 2011

Trend Micro is Recording Your Every Mouse-Click

Many of us use some sort of anti-virus protection. One of the more popular products is Trend Micro. After a bit of investigating, I have concluded that once you install a Trend Micro anti-virus product, their software records every link that you click on the internet and sends that information back to Trend Micro servers.

Recommendation: Trend Micro is Spyware. Uninstall it immediately.

Investigation - Odd Website Behavior:

I run a small website. I am kind of obsessed at making sure my site is operating properly and I monitor the logs closely. I started noticing some unusual activity.

To access a large part of my site, you have to be logged in. However, I started noticing requests from users who were not logged in; it appeared they were clicking on links that required them to be logged in. For example, if someone wants to search the database on my site, they must first log in. I saw quite a bit of activity of people who were not logged in trying to search my database. A normal user would never normally do this because in order to get to the search page, you must first log in. When a user tries to search without logging in, the search fails and returns an error message. (Note: It could also happen if the user logs in, keeps their browser open until their session expires and does a searche. However, this is relatively uncommon and was not happening with the frequency I was seeing).

A Possible Connection to Trend Micro

The strange activity got kept on happening over and over again and it got me suspicious. I checked the IP addresses of the users that did these types of searches. I found that several different IPs contributed to the vast majority of these types of errors. I did a reverse DNS on the IP address and I found that every single one of them comes from a Trend Micro server.

I thought that was strange and I wondered why or how Trend Micro was clicking around on my site. Then I noticed that every single one of the queries that came from Trend Micro, was done by a real logged-in person earlier. Sometimes a user would do it days earlier, sometimes hours. But there was no truly unique request coming from Trend Micro.

I then noticed that my site was getting requests to the administrator area. These areas are unexposed to the open internet and should only be accessed by me. I had an "ah ha" moment when I saw that Trend Micro is the installed anti-virus program on my work computer, where I occasionally view the administrator pages.

I have to conclude that Trend Micro is recording the requests from every user that has installed its software. The software must record the user’s internet requests and send them to Trend Micro. Then Trend Micro re-runs them again, probably to do some security analysis.

I have no idea what else Trend Micro is recording. The only thing I know for certain is that they record what you click on the internet. However, it is certainly possible, and based on Trend Micro's past behavior it is probable, that they are recording your every move on your computer.

An Explanation?

I searched the Trend Micro website and I could not find anything that actually discloses what they are doing. My guess however is that it is involved with the Trend Micro Smart Protection Network. The website says that it "[l]everag[es] cloud computing across Trend Micro's security solutions and services." However it does not say that it is tracking everyone's click and movement on the internet.

If Trend Micro is doing what it appears they are doing, it is a huge affront to your privacy and they may be violating the law. Users of any software should know what the software is doing and have an opportunity to turn it off. Trend Micro has not been upfront with their reprehensible behavior.

IP Addresses

Below are some of the IP addresses where I noticed this traffic. All of them are registered to Trend Micro. The 150.70.x.x IPs are registered in Japan and the 216.104.x.x IPs are registered in Cupertino, California.

  • 150.70.172.107
  • 150.70.64.195
  • 150.70.75.27
  • 216.104.15.130
  • 216.104.15.138
  • 216.104.15.142
  • 216.104.15.134

There are probably more IPs than the ones listed above, these are only a snapshot from a couple of days. I am considering blacklisting them from my site.

5 comments:

Eivind said...

I noticed the same symptoms on my website.

Addresses:
150.70.75.34
150.70.172.101
150.70.64.193

Anonymous said...

here are mine. I blocked them because I don`t like sushi.
150.70.172.106
150.70.64.195
150.70.75.36

solidcode said...

Yeah, The cisco router I am connected to appears to have this software installed.

The strange thing is, that it doesnt only request the same urls…

it appears to be running intrusion scripts on common urls… (my example is phpmyadmin)

here is my example;
On a new/fresh/5min old Amazon Instance, after I accessed phpmyadmin.

The 150.70.x.x range requests my requested URLS (on a linux client) comes back regularly to try the URL again…
the scan below is run from 109.106.165.193.

I have the server blocking access to all IPs, so the requests end in 403. The intrusion script appears to try various combos.

Anyone else seeing this behaviour?

Apache Error Log

--------------------------------


150.70.172.103 - - [11/Feb/2012:19:53:58 +0000] "GET /phpmyadmin/js/functions.js?ts=1324498093 HTTP/1.0" 403 317
150.70.172.103 - - [11/Feb/2012:19:54:00 +0000] "GET /phpmyadmin/js/pMap.js?ts=1324498093 HTTP/1.0" 403 312
150.70.172.103 - - [11/Feb/2012:19:54:01 +0000] "GET /phpmyadmin/js/sql.js?ts=1324498093 HTTP/1.0" 403 311
188.93.10.56 - - [11/Feb/2012:20:02:43 +0000] "GET / HTTP/1.1" 403 3839
109.106.165.193 - - [11/Feb/2012:20:03:56 +0000] "GET //phpmyadmin/ HTTP/1.1" 403 290
109.106.165.193 - - [11/Feb/2012:20:03:56 +0000] "GET //_phpMyAdmin/ HTTP/1.1" 403 291
109.106.165.193 - - [11/Feb/2012:20:03:57 +0000] "GET //pHpMyAdMiN/ HTTP/1.1" 403 290
109.106.165.193 - - [11/Feb/2012:20:03:57 +0000] "GET //webdb/ HTTP/1.1" 403 285
109.106.165.193 - - [11/Feb/2012:20:03:57 +0000] "GET //wp-phpmyadmin/ HTTP/1.1" 403 293
109.106.165.193 - - [11/Feb/2012:20:03:57 +0000] "GET //admn/ HTTP/1.1" 403 284
109.106.165.193 - - [11/Feb/2012:20:04:01 +0000] "GET //MyAdmin/ HTTP/1.1" 403 287
109.106.165.193 - - [11/Feb/2012:20:04:01 +0000] "GET //phpmanager/ HTTP/1.1" 403 290
109.106.165.193 - - [11/Feb/2012:20:04:01 +0000] "GET //backup/phpmyadmin/ HTTP/1.1" 403 297
109.106.165.193 - - [11/Feb/2012:20:04:02 +0000] "GET //backup/phpMyAdmin/ HTTP/1.1" 403 297
109.106.165.193 - - [11/Feb/2012:20:04:11 +0000] "GET //admin/ HTTP/1.1" 403 285
109.106.165.193 - - [11/Feb/2012:20:04:11 +0000] "GET //dbadmin/ HTTP/1.1" 403 287
109.106.165.193 - - [11/Feb/2012:20:04:12 +0000] "GET //sql/ HTTP/1.1" 403 283
109.106.165.193 - - [11/Feb/2012:20:04:12 +0000] "GET //mysql/ HTTP/1.1" 403 285
109.106.165.193 - - [11/Feb/2012:20:04:12 +0000] "GET //myadmin/ HTTP/1.1" 403 287
109.106.165.193 - - [11/Feb/2012:20:04:12 +0000] "GET //phpmyadmin2/ HTTP/1.1" 403 291
109.106.165.193 - - [11/Feb/2012:20:04:13 +0000] "GET //phpMyAdmin2/ HTTP/1.1" 403 291
109.106.165.193 - - [11/Feb/2012:20:04:13 +0000] "GET //phpMyAdmin-2/ HTTP/1.1" 403 292
109.106.165.193 - - [11/Feb/2012:20:04:16 +0000] "GET //sqlmanager/ HTTP/1.1" 403 290
109.106.165.193 - - [11/Feb/2012:20:04:23 +0000] "GET //PMA2005/ HTTP/1.1" 403 287
109.106.165.193 - - [11/Feb/2012:20:04:32 +0000] "GET //phpmy-admin/ HTTP/1.1" 403 291
109.106.165.193 - - [11/Feb/2012:20:04:35 +0000] "GET //sqlweb/ HTTP/1.1" 403 286


--------------------------------

Staff said...

@solidcode: Yup, I see them too.

Anonymous said...

This is exactly happening to me as well :( i see them as well in my Apache logs.