[Solved] Virus traffic captured with wireshark is not detected by anti-virus, not even a live anti-virus disc

If i look at the listed sites where those pings are going to.
It looks to me that these are analytics.

1 Like

Im quickly coming to the conclusion that AVG is the malware in its behaviour. @Th3Z0ne is still looking at some other things.

The conclusion to all of this is that we will uninstall AVAST and the trading app and monitor the network traffic in the future to see if it changes anything.

My sincerest gratitude goes out to everyone who contributed. You guys have a mighty deposit on the goodwill account!

5 Likes

Had to save that Image for my office wall =D thanks

Though I think it's once in a time not necessary this time

As did I xD

1 Like

OP, most of the stuff you described sounded like a normal host connection to me. When a host tries to contact the DHCP server, it needs to first send out a message to the broadcast address, over UDP. An echo ping request is used for finding out the destination IP address that the packets travel through; thats how a traceroute works. The third bullet is an interaction with the TCP/IP. Go google IP headers, and then google ICMP packet headers. Then it looks like your host of *.32 builds its DNS cache.

I'm not a pro or anything, but thats just what the traffic looks like based on what you described in your post.

Well, thats my two cents.

2 Likes

Your good! you nailed it from the description which I was not able to.

The strange part though was, that A) Avast (Anti)Virus began to "attack" routers in 2015 to check them for security flaws on a regular basis B) A trading app was installed that connected to all kinds of banks all over the world (and thus DNSed them).. all in all without knowing that Avast got that "feature" last year it all was pretty fishy tbh.

1 Like

Worth noting as well that avast also does the mass DNS spamming. Pretty dodgy even if their intentions were honest, I don't like it.

Please keep us informed about this.
Because this is interesting.

i personaly use Avira, and wanted to switch to Avast a while back,
because of issues with Virtualbox.
But Avira has fixed their issue, but needed 3 months to fix that.
Anyway, it sounds realy dody if Avast is doing this.
And iĀ“m also pretty currious what they are doing with all your data?
Can they be trusted?
I mean if i look where those pings are going well.....

Have you confirmed it was avast that DNS queried all those banks? I assume it that banking app actually.. to get sources for the stock charts?

I haven't talked with my friend yet, if he's up for it, but.. could we do another capture with other filters, to get clear answers on some of these questions? What filters would that be?

what have you ad applied except filtering for the "suspect" PCs IP?

What is in the capture is only ip.dst to the router. If that answers your question? (I'm not sure how to understand it) We could do an && ip.src to the laptop if that would help.

Edit: Which is just a long way of saying ip.addr to the laptop, apparently.

ip.src== only gives packets coming from given ip
ip.dst== only gives packets going to given ip
ip.addr== gives all packets involved with given ip
if you want all but above you can use !( ) e.g. !(ip.addr==10.0.0.1) gives all but what 10.0.0.1 is involved with.

So if you captured with ip.addr==thepcweinvesitgate we already had all packets that involved that machine.

But we didn't. We did ip.dst==routerip. I did specify this in the post. We thought it was rational to capture the very thing we thought was up, namely the login attempts to the router. And, so to speak, remove all the noise an ip.addr==hostmachine would generate. All the other traffic following was unknown to us before the capture. So, to shed some light over what that was all about, if there is interest to find out if it was avast or the trading app or whatnot, we could do another capture with ip.addr to get both in and out of the host machine.

I overred that ... sorry I was at work when I did the forensics besides my job :P

Now I know why there was not other traffic but management XD
of course there was no communication with external systems in the dum when you only saved what's directed at the router only.
The DNS stuff we only saw, because your router is acting as a DNS cache for your network; if it wasn't we would not have seen the DNS queries with that filter.

I usually apply ip.addr==machineilookat and dump that, afterwards to get a beter view applie other filtters like protocolls and/or specific source and destinations.

Glad I could be of help!

I'm glad I took those networking classes.

1 Like

Ahh, yes of course we could have applied filters post-capture. I seem to learn stuff everyday on this forum. Now I know for next time at least.

from the description it looks like its trying to access your router and change your DNS settings or maybe launch as DNS attack (DDOS)