21st Cent.Sherlock Holmes & Malware

Hi All,

So I have a Sophos UTM in bridge mode that basically inspects traffic then passes it to the router an Asus N66U. The UTM does not do routing.

About a month ago I started getting Command and Control notices from the UTM. After some research, it seems my IP is trying to connect to a domain by the name of: worldtvpro.zapto.org.anbdyn.info

After some googling I found out that teh worldtvpro.zapto.org doamin is owned by a company in Reno NV called Vitalwerks Internet Solutions, LLC which from their site appears to offer DYNDNS like serivces.

Im having a hard time trying to pinpoint where this 'infection' is coming from, all nodes on my network have been scanned with Malwarebyres Pro, Hitman Pro and the default Sophos AV. Im fairly certain my machines are ok but I dont want to label this a false positive until I can be sure. Ive read from some Sophos posts that sometimes software phoning home can trigger it but the hard part is the Sophos logs only report my public IP and no an internal so I cant see if anything with a private IP is trying to call out somewhere.

I do run Kodi with some plugins so this seemed like a likely cause but even with the PC off the alerts are still generated and the system has been scanned with no results.

Sophos classifies it as a C2/Generic-A. This is the link is gives as support but isnt really of any help.

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A

Any suggestions is appreciated.

Should say 'My Public IP' in the screen shot below.

Are these third party kodi add-ons? Because I'm going to guess that world TV pro is something that one of your add-ons is trying to talk to.

Weirdly from a now deleted Kodi Forum post

Then there's this:
https://www.tvaddons.ag/forums/tvaddons-ag-addon-repository/57812-infection-blocked.html

@Ghaz013 Ok so this is a quick check by me. I work Information Security.

The gist of it is: Your Shit's almost very highly probably pwned.

This is a well known malware botnet running out of Lisbon portugal.

dig worldtvpro.zapto.org

;; QUESTION SECTION:
;worldtvpro.zapto.org.          IN      A

;; ANSWER SECTION:
worldtvpro.zapto.org.   36      IN      CNAME   worldtvpro.zapto.org.anbdyn.info.
worldtvpro.zapto.org.anbdyn.info. 76 IN A       195.22.26.248

geoiplookup 195.22.26.248
GeoIP Country Edition: PT, Portugal
GeoIP City Edition, Rev 1: PT, N/A, N/A, N/A, N/A, 38.713902, -9.139400, 0, 0
GeoIP ASNum Edition: AS8426 Claranet Ltd

The address in question has been associated with malware and ransomware botnets multiple times and has hundereds of different domains pointing to it. Filter it immediately and prepare to audit your machines.

https://www.virustotal.com/en/ip-address/195.22.26.248/information

3 Likes

FWIW Malware containing this string and resolving to this IP was first detected two weeks ago (May 9th).
So chances are high it's already been sinkholed by your ISP/AV etc.
But you never know.

The server is just running an Nginx service on a custom CMS accepting POST requests requiring specific headers for to illicit any sort of response.

This is the URL it likely sends POST requests to.

worldtvpro.zapto.org/cms/cms/jklmnop.php

If you can find the source of the requests on your network & machine i'd appreciate it if you sent me a sample exe if you can find one or traffic capture logs (wireshark) that I can add to AV sigs.

Happy Hunting

2 Likes

popped up on the radar today.

Hmm so your device is inspecting outbound LAN traffic before it is hitting the NAT router? It should be easy to tell the source IP in this case.

Thanks all for the info, I have to say this is quite maddening, I have ripped all PCs and devices off the network except for the UTM, router and a laptop which is freshly imaged and I'm still getting the notices. I even swapped switches and routers, it just doesn't make sense, theres nothing left behind the router to reach out.

I'm going to have to 'get good' with Wirshark, if anyone has any suggestions on finding out how to sort through the mess I'm all ears.

1 Like

Does anyone have any ideas how Im still getting alerts with only the UTM and router connected