[Solved] Virus traffic captured with wireshark is not detected by anti-virus, not even a live anti-virus disc

oh wow, you have been digging hard - didn't you? You just necroed it

8 months later

:P

The conclusion 8 month ago, also from the wireshark dump I saw back than, is that is was Avast trying to "brutforce" known weak/default router passwords in a interresting attempt to save people from admin/admin in their routers ^^

And the DNS queries only looked suspicious becaus OP filtered only the traffic going to the router IP (ip.dst==) which excluded all but the relayed DNS traffic ^^ (most routers are running as DNS cache for your local network)

@AFellowGamer @Th3Z0ne my bad, have changed the title to [Solved] now.

I moved the [Solved] to the front so its clearer. Maybe @Eden wants to close it. (does @moderators work by now?)

This sounds.... rooty.... Get a computer you can absolutely drop and start checking those USB sticks if you think they are the source. Could it be an ad bot? Or just a worm grabbing accounts?

To be honest I do not have enough knowledge to be able to tell what it is, but I trust @Th3Z0ne when he thinks it is legitimately Avast Anti-virus itself (from looking at the wire dumps), and as it has only happened on two machines having that anti-virus program in particular, and it has only happened when the OS's with that program installed was live (I.e. not when booted into a linux USB on the same machine) and I think I remember him finding a source that it is indeed a "feature" of Avast. So everything is pointing in that direction.

Yeah, go ahead and close the thread if you feel like it. @Eden or someone.

just stalk @Eden he loves the attention ;) right @Eden?

:p

You really should start looking at the date man lol

A nice note to make is that making a virus undetectable to anti-virus software is not hard. Even HIPS systems can have trouble with $10 crypters.

AVs signatures are from samples they've collected and categorised. If it's undetected it's either really new, not very widely spread, or so incredibly complex that it isn't being detected (Basically it'd need to be stuxnet, and it isn't stuxnet)

Good to see you've solved it tho

Could I get a sample of the malware if you still have the exe or other binary? I'd love to have a look at it in depth

You can download an older version og avast here if they have discontinued the feature. I don't know if they have though, might still be in the current version. http://filehippo.com/download_avast_antivirus/history/

I don't need the AV just the virus. It sounds hella interesting. Not many malware try and brute force routers.

It was most likely not a virus, it was Avast itself. Here is the source @Th3Z0ne found (which was on our private chat, my bad for not providing it here sooner), in which it says, translated from German:

"The 2015er generation of antivirus software Avast checked not only the computer to security issues, but also the router. If you start a network scan via "home network security", Avast runs a series of tests.

Router gaps
According to the manufacturer, the program investigates whether known security gaps in the router gap or whether its services are accessible over the Internet. A test from heise Security showed that Avast tries to reach various URLs on the web server of the router, via the vulnerable devices, for example, without authentication, the configuration including admin password and export."

And me and Simon, the guy with the affected computer, did find a slider in Avast saying something along the lines of "scan for vulnerabilities on the network".