ISP claims infections, nothing found

[taq8ojh]

On a few occasions over the last few months and weeks, I was randomly being redirected to a page from my ISP saying my computer (I guess any computer in the house) is spreading malware and blabla, with a link to a program (by AVG ) supposed to remove "the most common" ZEUS virus/trojan (which is what I supposedly have somewhere, accorging to logs I was sent; also included was 108.162.194.116 address, supposedly a host for the malware).

I didn't - and still do not - believe any of our computers is infected for a second despite antivirus software running only on my father in law's (who is a computer illiterate and thus the most suspectible for being infected with any malware) notebook: we do not browse warez/porn sites, we do not open on fishy emails, Adblock Plus is running everywhere, and the router is properly configured.

The suggested program didn't find anything, but considering it's AVG stuff I wasn't surprised. So I kept looking.
I checked both mine and my wife's computers with ESET online scanner. Nothing.
I downloaded Malwarebytes and thoroughly checked everything. Nothing.
Then I downloaded two rootkit removal tools from Kaspersky and Norton. Nothing.

Any suggestions? The guy from my ISP simply replied "Fortigate is always right". I call bullsh*t on him, but also have no idea what to do/try at this point.

 

[Ketchup]

Do you use http://www.cloudflare.com/?

Edit: Or a malicious site trying to use that name: https://www.google.com/safebrowsing/diagnostic?site=AS:13335

As you can see, they host from a ton of other sites. So if you think you are in the clear, you may want to start clearing browser histories.

 

[mikeymikec]

Ask him to pull the logs that determined your IP is doing strange things. I would expect it to be able to specify which MAC address on your LAN is the suspect one (as well as the time of the incident, to ensure that this isn't some massively out-of-date determination).

I've been having a bit of a time chewing over your second paragraph, it seems to suggest that you've only got AV running on one machine out of multiple computers. There was a time that I ran without AV, but nowadays I don't see any point in risking it (especially when there is a current question mark over the security of your computers). If I have read your post correctly, it seems to me like you might be letting your pride get in the way of the job in hand.

I don't think you have much basis for referring to AVG in your disparaging way either. In my experience it's been as good as most other AV products (ie. sometimes it gets some that others miss and vice versa).

If you have a computer available that is guaranteed to be clean (ie. in your situation, it hasn't been connected to the Internet for some time), I'd take the disk out of each other machine and scan it while connected to the known reliable machine. Any malware designer who knows their stuff will try to evade / disable the resident anti-malware software (of the system that the malware was executed on). If the malware has a high enough privilege level on the system already, then running security software on that in the hope of finding malware is fairly futile.

 

[taq8ojh]

ketchup: Nope I don't. I don't even know what that site is.
mikey: That's right, I don't use antivirus, because I don't think I need to, if there is enough common sense. It has nothing to do with pride. In my opinion, common sense, Adblock, firewall and properly configured router is perfectly enough.

But like I said - I checked the other computers with four different programs and nothing was found at all.

 

[bononos]

......
The suggested program didn't find anything, but considering it's AVG stuff I wasn't surprised. So I kept looking.
I checked both mine and my wife's computers with ESET online scanner. Nothing.
I downloaded Malwarebytes and thoroughly checked everything. Nothing.
Then I downloaded two rootkit removal tools from Kaspersky and Norton. Nothing.

Any suggestions? The guy from my ISP simply replied "Fortigate is always right". I call bullsh*t on him, but also have no idea what to do/try at this point.

I suspect your pc(s) got flagged by the ISP because the outgoing traffic was suspicious, maybe the volume and the ip's it was connecting.
You'll need a boot cd with an antivirus to really be sure, since a pc thats already infected might not be able to scan itself reliably. Kaspersky Livecd, Panda safedisk etc are in a better position to detect rootkits.

 

[mikeymikec]

mikey: That's right, I don't use antivirus, because I don't think I need to, if there is enough common sense. It has nothing to do with pride. In my opinion, common sense, Adblock, firewall and properly configured router is perfectly enough.

But like I said - I checked the other computers with four different programs and nothing was found at all.

Bear in mind that the design of a lot of malware these days is to be as undetectable as possible. The fact that you use the word "perfectly" still suggests that pride is involved in your opinion, since there isn't such a thing as perfect security, and common sense / best practice is not enough to stop all malware. I'll grant that it will stop most of what's out there, but all that is needed is a zero-day exploit on a bit of software you're using on say a reputable website that gets hacked one day, or the update system for a piece of software you use has been compromised at the download source, and your perception of "perfectly enough" (misnomer?) would be revised pretty quickly. I'll consider this my last post on this particular point. You have your opinion, and I have mine.

I suggested connecting the disks from the potentially suspect machines to a known clean one because the OS and security software can be circumvented.

My main piece of advice though is to ask the ISP guy to give you information from their logs to support their claims. If your ISP is engaging in traffic redirection (which is a kind of DoS), they should be able to support that decision with evidence.

 

[taq8ojh]

Let's not go into words wars...
I know lots of malware is hard to detect, but that's why we have rootkit removal tools and other stuff, no?
I find it hard to believe nothing would be found after trying four different programs that even restarted the computer in order to - I guess - gain exclusive access to certain things.

He sent me detailed log that contains crap ton of useless (I don't have the slightest idea how to interpret them) entries from Fortinet (not sure whether that's some hardware or just software they run).
If anyone can make anything out of it, be my guest: https://www.mediafire.com/?rentbza27cmlkbp

 

[Ketchup]

http://free.avg.com/us-en/remove-win32-zbot

See if this will take care of it.

 

[taq8ojh]

http://free.avg.com/us-en/remove-win32-zbot

See if this will take care of it.

That's the same program I was suggested to use in the warning message I was being redirected to. Nothing.

 

[bononos]

Did you burn a bootcd with a reputable rootkit/virus scanning program? Otherwise you might be wasting your time running scans. You might want to hop over to the security section and search or ask about antivirus live cd.

From the log you gave, there is the destination ips and the type of the virus.

 

[taq8ojh]

antivirus live cd

Care to recommend something?

From the log you gave, there is the destination ips and the type of the virus.

Uh, yes, I can read that much.

 

[Fardringle]

Did you have a visitor bring their own device to your network on 12/18, 12/26, 2/18, and 2/19? Or are you using a weak wireless password (or weak encryption) that may have been compromised?

If not, then something on your network is (or was) in fact infected with a virus.


And yes, running a computer with internet access without any antivirus software is a bad idea. Many recent malware programs will install themselves on your computer simply by your visiting a web site where the malware code is hiding. You don't have to click anything to approve, you don't have to allow a pop-up or helper object, and in many cases you don't even have to be using an account with admin rights. This is particularly true if you are using Java and/or Flash and they are not regularly updated (and sometimes even if they are).

 

[taq8ojh]

There are no wireless devices in the network anymore, and I only allow devices with known MAC addresses anyway. I hope the wireless password, which is a mixture of two words, is good enough with its 12 chars containing capital letter and a number. The encryption used is WPA2 personal. And no remote management, of course.

I really have no idea what is (or isn't) going on. I've just spent two hours scanning the computers with some sort of livecd from AVG and again, nothing.

I always make sure everything (specifically Windows and Flash, and Java (if it's absolutely needed for anything... bleh)) is up to date.

 

[Matt1970]

You are asking for trouble browsing the net without AV software. The so-called "safe browsing" is about as effective as pulling out is for birth control. I have seen AVG catch stuff all the time on what a lot of people would consider safe sites. Remember, even the Disney site had malicious content on it at one time.

 

[mikeymikec]

Let's not go into words wars...
I know lots of malware is hard to detect, but that's why we have rootkit removal tools and other stuff, no?
I find it hard to believe nothing would be found after trying four different programs that even restarted the computer in order to - I guess - gain exclusive access to certain things.

All of these tools work by blacklisting dodgy code. If there's a variation on that code that isn't caught by the blacklist, then you won't get a positive result. New variations come out all the time, sometimes they get caught with old AV definitions, sometimes not.

Admittedly I would be surprised if four different scanners didn't pick up a problem, but then one of the first courses of action I'd take (at least in my line of work) is to take the disk out and scan it while it is connected to my own machine. That way, the malware doesn't have any abilities to evade detection. My blacklisting point is obviously still valid in that situation, but a system-level exploit can be ruled out with a much higher degree of certainty. A live CD should be almost as good (there are some pretty unlikely ways around it though), but I don't have much experience with live CDs because I have a technique that works for me in my line of work already.

I don't suppose there's a less-often used computer and its uses match up to those dates and times in the log is there? I'm assuming that what the security system your ISP is picking up is an attempt by the malware to contact a control server. Ask the ISP or research it yourself some of the control server IPs, block them on your router's firewall as well as logging attempts that trigger the block? That should give you a local IP to check.

Another thing to check is whether you find any file names that correspond to the writeup about Zeus here:
http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99&tabid=2
Try also creating folders in the locations it describes and see whether you're allowed to (file system locations can be hidden by malware regardless of Windows settings), if it throws an error you know you're onto something.

 

[taq8ojh]

I sent the log to my friend who apparently has a colleague who has experience with this stuff, I assume some sort of security admin somewhere. He said the infection is almost certain. Allright.
I tried couple more things:
- I switched both the AV-less computers off, took away all disks, and one by one tested them in the notebook that has ESET running.
- Retested all computers with the AVG Rescue CD.
- Booted both computers in safe mode and tested with updated Malwarebytes, Malwarebytes Anti-Rootkit and AVG's Zbot removal tool.

Still nothing!!
I don't get it!

Any other ideas?

 

[piasabird]

How come the ISP isn't blocking that malware? It come to you through them didn't it? This assumes they are right. Sometimes you download software and it comes with the software.

 

[taq8ojh]

According to the log, I think they blocked the traffic allegedly coming from me.
I also downloaded Zbot removal tool from ESET, and again, nothing found.

I seriously don't know what to do.
Everything tells me there's not one damn thing in any of our computers, but...

 

[taq8ojh]

I regained some thinking, and remembered ESET offers one month trial version.
Installed, configured... and NOTHING.

I am 95% sure it's false alarm triggered by who knows what (unless a router itself can get infected with a virus, which I doubt is technically possible).

 

[code65536]

Anything suspicious in TCPView?

I've gotten something similar before from Google. They blocked a search request saying that my traffic pattern to their site was unusual and that I was probably infected which I know was untrue. Refreshed a couple of times, and it worked. If Google could mess up their heuristics, so could anyone, including your ISP. Based on what you've said so far, I'm thinking false positive.

You are asking for trouble browsing the net without AV software.

That's rubbish. This is a far better analogy: AV software is, at best, a seat belt in a head-on car crash, and at worst, AV is a placebo that makes people feel invincible so that they drive in a way that results in many more head-on car crashes.

[rant] Have I encountered malware? Sure, countless times. Have I had drive-by downloads and other attempts to surreptitiously install things on my system? Yes. Do I browse porn sites and other high-risk places? Yes to that, too. Do I use AV? Hell no. How many times have I been compromised, infected, etc. in all my years of computing (over 20 years)? Zero. And of all the numerous systems that I've had to manually disinfect and clean for other people, how many of them had some sort of AV software installed? Every single one.

If people know what they're doing, they'll find that the cards are actually stacked pretty high in their favor. The problem is, instead of the hard work of educating users in basic computing (leaving people who think that "hacking" is like what happens in a Hollywood movie), people try for the easy solution of cooking up a technical solution in the form of AV, which ultimately does a disservice by leaving people ignorant without actually offering any real protection.[/rant]

 

[taq8ojh]

I didn't check active connections, no.
According to the log, the suspicious traffic happens randomly, and sometimes days/weeks apart. Not sure if the log is complete, but it goes back to march last year.
Based on that, IF there's anything in here, it's dormant and activates at some unspecified times.

 

[jolancer]

since everything seems normal i personally would go back and look at whats easyest.

you say your devices arn't wireless but wifi is left on. if you keep it on, if it has a client list of preferably history of all attached devices, check see if anyone was possibly leeching off your router around those dates. wpa will encrypt your data comunication to/from the router, but will do nothing for your password if wps is enabled, and i dunno exactly but have heard certain router models from some time period even if wps is selected disabled it actually still shows up to attackers as enabled, i dunno for sure tho only heard.

you say you have mac filtering enabled on your router, but i dunno if that would do much either considering its easy to spoof a mac. unless you reserved a specific lan ip for the mac perhaps, not sure tho.

if router is good or undeterminable.. perhaps get confirmation that log belongs to you? i only see a destination IP, and traffic direction is N/A?... if you copy/past the log into an app that can read its formatted properly, excel seems to read it fine.

IF it does belong to you and its outbound not inbound traffic, could start by blocking those IP or Port ranges if you use a firewall and log activity on those ranges.

I dunno how control servers for malicous content works, but normally you can google "who is xx.xx.xx.xx" and get a IP range for the entire server or domain. but i dunno if that applies to malware

 

[taq8ojh]

Two days of running with ESET, and nothing even remotely resembling something suspicious.

 

[Steltek]

I am 95% sure it's false alarm triggered by who knows what (unless a router itself can get infected with a virus, which I doubt is technically possible).

It is possible -- in fact, there was one that was just discovered in the last 2 weeks. The worm, which is called "Moon", has been infecting certain Linksys 'E' model routers because Cisco engineers apparently (in a moment of supreme idiocy) left a backdoor into the firmware.

http://arstechnica.com/security/201...inksys-routers-with-self-replicating-malware/

Depending upon firmware revision, any of the following models may be susceptible to infection: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, or E900. For now, it is only known to be spreading from router to router and hasn't done anything yet.

However, as Fortinet has identified it as zBot/Zeus, I wouldn't think that would be your problem. I'm wondering if you could have picked up some type of zero-day variant that the scanners aren't yet detecting.

 

[taq8ojh]

My router is WRT320N (I wish I could replace it, but what I chose is not yet fully supported in Openwrt).

I don't think it's anything new, because it's been showing in their logs irregularly for a year, and I only started scanning my PC these days. And with five frigging programs (and real time monitoring of pretty much everything now that I have ESET installed), the probability of nothing being detected under these conditions is in my opinion slim to none.