Quick Links: | RSS Twitter Feed Contact Submit News |
Details...
I called my hosting provider and alerted them of the email activity. Some web hosting providers can 'blacklist' a user for sending
large amounts email which indicates spammers. In my case the support
technician told me over the phone "Whoa, you are sending over 200 emails per hour."
The high number of emails sent resulted in my hosting company to trigger email
limits.
More...
A few days later I visited the web page of my bank. Glaring at me in bright red, the HTTPS:// was crossed out. This generally means the site's security certificate has
a problem, or the computer is victim of a Man-in-the-Middle attack. After checking the same site from my laptop and seeing it in green, I suspected the computer to be dirty.
I had antivirus software on the computer, but curious, I grabbed my son who was interested in this and we took a drive to Best Buy where I picked up a copy of Kaspersky.
After a full scan, nothing was found. I also ran Malwarebytes, Avast, Spybot, and F-Secure's rootkit detection tool. Nothing found.
Mysterious Wifi Connections...
I logged into my WiFi to audit all connections. There's my laptop, business PC, kid's iPod, Wii, printer, and two other devices named 'UNKNOWN'. What were these two other devices?
I went room by room and turned off all devices. Phones, printer, Wii, everything was powered down. Logging back into the wireless router showed only two connections, you guessed it,
both 'UNKNOWN' devices. I changed the password of the router and watched the devices disappear from the network.
Intrusion Detection Logs...
At this point, I am very curious to what is going on and this prompted me to take a peek into the logs of my
intrusion detection system (IDS). I am one who strongly advises to
never keep the logs on an IDS. If I am an attacker, I am deleting the logs and digital trail that I was in your network. Always get those logs off to a secure central repository.
THREATCORE PROJECT Recovers From Mystery Malware Attack...
Sophisticated series of attacks into email, network wireless router, home based PC...
THREATCORE PROJECT
04/13/2016 - 6:38 PM EDT
It was March 3 when my phone started to blow up. I was getting bounced (rejected) emails - lots of them.
Since I didn't send these, I knew this was a situation of my Threatcore email password
being brute-forced. What I found odd was that the password was very strong
to be subject of a dictionary attack. I wasn't overly concerned about this since the email address is not something I use for personal business. In fact,
I only use that specific account for collecting tips through my website. But little did I know then, something more was building.
The solution for this attack was quite simple. Delete the email account completely, recreate
it [from a clean PC], and set a new password. Problem solved? Not quite.
What I saw was very alarming. The suspected compromised computer in my home was attempting an FTP connection into the router, followed by PING requests and a scan of my network:
Mar 4 19:47:23 3355-lvl-snort snort[1046]: Ping from an external network {ICMP} 10.0.0.4 -> 10.0.0.1
Mar 4 19:47:23 3355-lvl-snort snort[1046]: ICMP PING [Classification: Misc activity] {ICMP} 10.0.0.4 -> 10.0.0.1
Mar 4 19:47:23 3355-lvl-snort snort[1046]: ICMP Echo Reply [Classification: Misc activity] {ICMP} 10.0.0.4 -> 10.0.0.1
Mar 4 19:47:23 3355-lvl-snort snort[1046]: SCAN UPnP service discover attempt [Classification: Detection of a Network Scan] {UDP} 10.0.0.4:64255 -> 10.0.0.1:1900
Some port scanning continues on March 4th followed by this:
Mar 4 21:42:22 3355-lvl-snort snort[1046]: WEB-MISC /etc/passwd [Classification: Attempted Information Leak] {TCP} 10.0.0.4:64930 -> 10.0.0.1:80
This is attempted reconnaissance aimed at the password file on UNIX systems. The /etc/ directory contains login information for users. This file may be used to
gather information that can be used in brute force attacks on passwords. Next came a directory transversal attack:
Mar 4 21:42:22 3355-lvl-snort snort[1046]: WEB-MISC http directory transversal [Classification: Attempted Information Leak] {TCP} 10.0.0.4:64930 -> 10.0.0.1:80
The goal of a directory transversal attack is to order an application to access a computer file not intended to be accessible. Immediately following, comes something
even more creepy. My NetGear router was attacked with the default password that NetGear loads on their devices in the factory:
Mar 4 21:42:22 3355-lvl-snort snort[1046]: WEB-MISC NetGear router default password login attempt admin/password [Classification: Attempt to Login By a Default Username and Password] {TCP} 10.0.0.4:64949 -> 10.0.0.1:80
To summarize, here's what we know. The computer contains malware that is unknown to antivirus. It pokes its head up occasionally, scans my network, attempts FTP connections,
performed reconnaissance and probes, a directory transversal attack, and targeted my specific brand of wireless router. Between sleeping, it pokes back up and performs more scans.
Being this is is persistent, remains low and slow, and targeted specific devices, you could question whether this is a crafted APT (Advanced Persistent Threat) in the wild.
More info to follow...
http://www.threatcore.com