What is usd.bravo-dog? Comes up every time I load Rhino

unhandled

#1

My computer runs Malwarebytes, which automatically blocks unknown or unwelcome intrusions and outbound messages.

Lately, every time I load Rhino, the Malwarebytes reports that it has blocked an outbound message to a site designated as usd.bravo-dog.com. There are variations: usa.bravo-dog, use.bravo-dog, etc.

Is this malware? Is it some sort of reporting system that is approved by or written into Rhino?

Thank you for your insights.

Michael


#4

do you own a legal version?


#5

Your computer is simply longing for gluten-free canned dog food from the almighty bravo pet food brand.


#6

Yes, I do own the legal version. Re gluten free, lol.

FWIW I use several plug ins including Bongo Auxpecker and tSplines.

For a while I received promotional messages from Auxpecker when I opened Rhino, but not lately.


#7

mhh. are those plugins legal? Cracked software is usually used to hijack machines. Hijacked websites can be used to protect the hijacker from being tracked. Usually you can easily send malware from within an application using the port open for sending service reports etc… Rhino is no exception to that. I tested that by sending emails from a grasshopper component and to my surprise it worked quite well… Maybe even an official free plugin has some mechanism inside. Plugin usage in the end is a risk…


#8

Interesting.

Yes, I purchased Bongo and tSplines. Auxpecker is free but I am registered. tSplines for Rhino is sort of adrift, no longer supported. But it would be hard to live without.

So what is the fix? Uninstall and re-install from scratch?


#9

I would start by disabling plug-ins (Rhino Options -> Plug-ins and uncheck what you don’t want) Then you might be able to narrow down the culprit.


(John Brock) #10

Yesterday, I asked Brian about this. He’s just been too busy to jump in.
My best guess is it is related to Rhino calling home to check for updates, but hopefully he can clarify that.

Until he comes up for air, I’d suggest leaving well enough alone.
Experience tells me when you start taking pot-shots at this stuff like you’re describing, there are other unintended consequences that will come back to bite you.


(Brian Gillespie) #11

I don’t think this is something that we have embedded in Rhino. Our check for updates systems should be looking at one of these urls, depending on the version of Rhino and what is being sought:

I agree with this. If you disable the plug-ins and then you don’t see the outbound calls to bravo-dog.com then you’ll probably be able to figure out which plug-in is sending the messages.


#12

At least, the virus could ask for better dog food than bravo.


#13

As a first step I disabled one of the plug-ins. I then closed and re-started Rhino 5. No alerts appeared.

To follow through, I re-enabled the plug-in, fully expecting the malware alert to reappear.

It did not.

So this isn’t a simple process of elimination. Malware doesn’t necessarily call the Mother Ship on every start-up. It could be triggering off the clock as well.

I will try to troubleshoot it again in the morning. No question left, though, about the nature of the beast. It is malicious.

Thank you for clarifying this, Brian.

regards, Michael


#14

If you believe that you have been compromised, your only sure-fire path is to nuke-and-pave (format and reinstall) if you have the skills. And don’t do a mass backup and restore either, rather selectively restore your data files.

Assuming you got “it” (if it is nefarious) due to no malpractice of your own, it is an unfortunate testament to the state of things. The miscreants have transitioned tactics, to include embed of their wrath into legitimate efforts. Even legitimate, well intentioned, public service open source needs to be scrutinized based on the ability to compromise, fake, and distribute.

Commercial endeavors not immune either.


#15

Made a clean re-install of Windows. I would like to have systematically determined which of the three plugins might be responsible, but with malware on board, it seemed best to go straight to a re-install.

Of the plug-ins, I have only re-installed Bongo, on the assumption that since it is a Rhino product, it is least likely to have been infected. So far I have used the freshly installed Rhino for a couple of days with no problems nor malware reports from Malwarebytes. The new installation seems normal, except for one thing:

On the start-up panel, which is a download, the “Tips” section is always left blank.

I would normally ignore this but after the bravo-dog episode, anything odd instantly captures attention.

Thank you for your insights.

Michael


(John Brock) #16

Maybe this:
https://wiki.mcneel.com/rhino/splashproblem


#17

Hello John,

Thank you for your email. I work for myself and I have not locked out the Google servers. My anti-virus might have ruled out some server, as a protective measure, but this particular virus or malware, US(abcde).Bravo-dog was using Amazon servers.

Maybe Rhino is not communicating with my new Rhino 5 installation because its predecessor, now erased, was known to have been infected with Malware. I don’t think it was a virus, strictly speaking, because if it had been a virus, it seems the AV software would have disinfected it.

Michael