We detected numerous failed admin login attempts by two computers on our LAN to our router and found it suspicious. Made the post and thanks to @Th3Z0ne we got a bit closer to figuring our what it was.
Both of his computers have done it. The last one is with a genuine windows 7 install and the virus got there presumably through a USB drive, undetected by his anti-virus - Avast.
We ran a full scan with Avira-live-disc to no avail. It didn’t find anything.
We managed to capture the traffic with wireshark, and to our surprise it is not only trying to log into the router, it is accessing a host of websites like facebook, citibank, bankofamerica, amazon, twitter… you get the gist.
The Wireshark capture:
We set up wireshark on the affected computer and set the filter to capture packets to the destination of the router ip.dst==192.168.1.100 which is the IP of the router.
We are not have the expertises to interpret the wireshark capture, so here is a rough run-down of the events.
It starts with an ICMP “Echo ping request”, and then a NBNS “name query NBSTAT” and gets a “Destination unreachable” back via ICMP. I expect this is to the router.
It then does an external address request with NAT-PMP and again gets a “Destination unreachable” back through ICMP. This happens a couple of times.
Then a host of TCP, HTTP and SSDP and HTTP/XML traffic, with things such as “192.168.1.32 192.168.1.100 TCP 66 59178 → 80 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=4 SACK_PERM=1”
Then comes a lot of DNS traffic to the aforementioned sites, citibank, twitter and the like.
Then lastly it has a lot of TCP and HTTP traffic, looking like the one above with code we do not know how to interpret.
What does it look like it is doing? How do we get rid of it?
Thanks in advance - Zumps and Simon.
The conclusion to all of this is that we will uninstall AVAST and the trading app and monitor the network traffic in the future to see if it changes anything.
My sincerest gratitude goes out to everyone who contributed. You guys have a mighty deposit on the goodwill account!
I would highly appreciate if you could supply the actual wireshark log. And after that "quarantain" the machines a.k.a. unplug them, and leave them unplugged from the internet... even would suggest to stop using them.
Both are good AV's. Heres the news. AV is crap. For anything other than well known malware, they dont work, and tend to lead people into a false sense of security.
As @Th3Z0ne said, proper logs would give an answer to this.
The machines are compromised, theres only one option. Wipe, and depending on the sensitivity of your network destroy hardware with writeable firmware controllers.
Thanks eden. You can have the log, please see my other reply to th3z0ne. So what about all his data? No way of bavking it up and securely get it to the new os install?
Pull the drives and mount them read only on a Linux PC. Pull the data off them that you want. I wouldnt bother with applications.
Its probably just some RAT or botnet malware, it likely isnt infecting all files. But its hard to tell without more info.
The files you want (how much data are we talking), there probably fine. But consider that it might have been a recent document that infected the computer in the first place and it will reinfect if its used on another computer. Id back them up but not use them for a while. Delete anything you really dont need or can be easily recreated and rescan anything you do use after you've kept it isolated for a while and AV has caught up.
Im paranoid about that stuff. If a computer gets infects i tend to say it can no longer be trusted just by trying to clean it. How would you know?
It depends on how much you want assistance in possibly finding out what they do. As long as you only supply the logs concerning the IPs of the infected hosts (source and destination) no sensitive data should be disclosed if you do not use the aforementioned systems.
If you (or the owner of the systems) are concerned that a anonymous 3rd party (me, or anyone you send the log to and don't know in person) I would say, leave it as it is; Keep the logs, destroy them,
BUT! nuke the systems (a.k.a. format them) entirely, as they are compromised and thus are not to be trusted any further! - than reinstall them freshly; Also have the owner of the systems change ALL passwords they have from a save (maybe your) computer ASAP.
If you are curious though, I welcome you to 7zip/zip what ever the file with a password and DM me the link and password. I would like to have a look, but can NOT promise to find out what was going on!
Concerning backing the machine up, mount the drives read only and only copy what realy is necesary. No applications; only data.
I am particularly interested to find out if our router has been compromised too, if it's a possibility it can have come in through a back door by crashing the log in procedure or flashing something to the firmware of the router? It has not reported a successful login attempt.
Also, a follow up question: We have an Ubuntu Server NAS. No other windows machines are doing the same thing to the router log, so I don't think they are infected -yet, but is it a possibility the virus could lay dormant on the NAS waiting for another computer to pick it up? Clam does not find anything on the NAS though.
I don't. We have continued the discussion in a private thread. But the thing we saw in the router log, we think is the actual AVAST anti-virus probing for weak passwords, as a feature.
@MisteryAngel up to now I conclude from the log that the "attack" on the router in fact is avast checking for vulnerabilities which got added in 2015.
@Eden it most likely is Avast - the user agent is not forged; Avast is triying all sorts of CSS injections, incetions into cgi scripts and so forth.
What I am still not sure of, and cant tell from the wireshark logs is, why the computer queries all different kinds of banks. I think its the trading app though, that seems to be installed.