Menu
Reply
Highlighted
  • 6.88K
  • 227
  • 1.31K
Community Lead
Community Lead
553 Views
Message 81 of 123
Flag for a moderator

Re: Finally had it with Virgin(I sound like a broken record)

Hi @deckhanddave 

December 27th seems to have been the first report. The specific malware types are detected by a number of different sources and then reported back to us. Among them is Spamhaus & Microsoft DCU.

Some of the more recent timestamps and types are below:

2020-01-19 10:56:47 conficker  
2020-01-19 17:04:33 conficker  
2020-01-20 09:59:14 win32/defsel This is a trojan that allows unauthorised access and control of an affected computer
2020-01-20 09:54:19 iotmirai  
2020-01-20 11:43:53 msil/bladabindi and vbs/jenxcus A PC that is infected with both msil/bladabindi and vbs/jenxcus
2020-01-20 22:33:20 msil/geratid Backdoor trojan that can be used in DDoS attacks and to steal your private information
2020-01-20 23:22:54 win32/sality Malware family can steal your personal information and lower your PC security settings
2020-01-20 23:20:05 win32/yemrok Trojan silently downloads and installs other programs on your PC

 

It does seem like a lot of the malware is PC-based so I'd definitely be looking down that route as well as IoT devices. We don't detect or report on the instances directly ourselves, these are picked up by systems designed to monitor the internet for any malicious traffic. I'm afraid I don't understand how that process works well enough to explain how they can be picked up at that level where your checks and scans haven't revealed anything.

Kev

The do's and don'ts. Keep the community welcoming for all. Follow the house rules


Highlighted
  • 186
  • 0
  • 11
deckhanddave
Dialled in
520 Views
Message 82 of 123
Flag for a moderator

Re: Finally had it with Virgin(I sound like a broken record)

No visible pattern to the times then. I'd hoped I might be able to make a connection using times. I am totally at a loss to explain this so I might just have to call in an expert. I run Windows defender and did an offline scan and deep scan but never found anything. What puzzles me most is why Dec 27th??? There is nothing new in the way of computer stuff, ie networked drives that haven't been there for years. That leaves me with IoT.My SMART plugs and bulbs have been connected for quite some time with no problems and were all reinstalled when the router was changed on 7th Jan or thereabouts, as was all the Alexa stuff. That leaves me my DAB/internet radio which I haven't got connected at present, my TV, my virgin V6 box(1 cabled & 1 wifi), my ip cameras, analogue cctv dv recorder, my networked hdds and SMETS2 smart meter. Thanks for the info Kev. I wonder, could you liaise between me and the people you got the activity reports from and maybe monitor it on a daily basis? I'm just wondering if the way to find it is by connecting things one by one daily and seeing when the activity starts up. I'm doing another deep scan of my computer and its network HDDs to see if I can find the problem.

0 Kudos
Reply
Highlighted
  • 6.88K
  • 227
  • 1.31K
Community Lead
Community Lead
502 Views
Message 83 of 123
Flag for a moderator

Re: Finally had it with Virgin(I sound like a broken record)

Hey @deckhanddave 

If you want to start ruling out devices I can certainly check in with our security team to see if we're still receiving reports of breaches. Our advise is normally to try to clean everything up and then retest, but I appreciate the difficulty in isolating so many devices when scans aren't showing anything. It might be best if you were to take things off for a period of time and keep track. We could then check that entire timespan and see if there are any patterns.

I don't know how far you've got with following the steps in the links I posted earlier, but it's worth making sure all those boxes are ticked as well, in terms of prevention once things have been cleaned up.

Kev

The do's and don'ts. Keep the community welcoming for all. Follow the house rules


0 Kudos
Reply
Highlighted
  • 186
  • 0
  • 11
deckhanddave
Dialled in
492 Views
Message 84 of 123
Flag for a moderator

Re: Finally had it with Virgin(I sound like a broken record)

I'm currently doing a full scan running Microsoft safety scanner 1.0.3001.0 and Windows Defender. Along with continuing monitoring with Wireshark. My laptop is not a happy bunny doing all that and my trying to do this too. I've literally checked every single piece of IoT I have to the best of my ability and can't find a thing. There are no supplied logins being used that I can see and having just recently re-connected everything to the last router I got, I can't see anything I have missed. I'll finish these scans of and then list each and every thing that is attached to my network then tick each and everyone of them off as I check them. I'll be back in touch when my computer will allow me to do stuff a bit easier than at present. It's getting a headache like I already have! Thanks for the help. 

Dave

 

0 Kudos
Reply
Highlighted
  • 791
  • 124
  • 396
Very Insightful Person
Very Insightful Person
471 Views
Message 85 of 123
Flag for a moderator
Helpful Answer

Re: Finally had it with Virgin(I sound like a broken record)

@deckhanddave reading back through this thread, I think you have been given, not incorrect but incomplete advice about scanning with Wireshark. If you just follow exactly the linked thread it describes how to find a device on your network which is sending out traffic to the internet on port 25 (SMTP). And this is all fine but that's not the situation in your case - you don't have a problem where your IP address has been blocked from sending email but rather you have a device somewhere which is sending out 'some other kind' of malicious traffic - just scanning for SMTP traffic isn't going to find it.

Now unfortunately, it's not anywhere near as simple as 'look for outgoing traffic on port xxx' it'll be a case of researching all the exploits which @Kev_B has identified as being present on your home network, find out which ports they use for outbound traffic and look for those - I'm afraid it's a big and complex job.

Now you say that nothing has been added to you network on the days in question, but often malware will lay dormant for a while in an attempt to avoid detection, or did something update to a new version of its operating system which may have been compromised, did you download any updates or added features to anything?

What you need is to have some means of logging all of the outgoing traffic from your network to the internet and then look through the logs and see if anything looks 'suspicious' and I know what suspicious is when i see it but I really can't tell you up front - it's all down to experience. Unfortunately the VM Hub has absolutely no traffic logging abilities at all so the first thing would be to investigate getting your own more sophisticated router which can log outgoing traffic for inspection.

OK now I know that this has not been particularly helpful in finding out exactly what it is causing your problems, but I wanted to say that these things are unfortunately not as easy to fix as it might seem at first. Start by making a comprehensive list of every single device on your home network, ask yourself has anything changed with this device recently, updates, new features etc? For each device, can I scan it for malware, PCs yes; IoT devices not so easy, can I factory reset them? The nuclear option is to literally disconnect everything and then plug one or two things in at a time and leave it like that for a couple of days - do you get taken off the blacklists? If so add something else - rinse and repeat!

Believe me I know, it's all a laborious, frustrating and time consuming process, especially if you have a lot of devices - but it's the only way to eventually sort it out.

Best wishes

John 

Highlighted
  • 186
  • 0
  • 11
deckhanddave
Dialled in
456 Views
Message 86 of 123
Flag for a moderator

Re: Finally had it with Virgin(I sound like a broken record)

John, you have just summed up perfectly where I am and what I am looking at. I've checked every port but they show closed. I read that that some of the malwares do that now, close the port they are using. I've also run Wireshark checking various ports and both on my wifi and using my laptop as a hotspot but still nothing. I just got a new router courtesy of the Engineer guy who rang from Virgin. If I connect that up, I'm not going to connect everything else back but will do it bit by bit. That's why I'm double checking my computer and network drives with Win Defender and Microsoft Safety scanner. If that comes back clear I will connect the router then my laptop. After that, it will be one or two items at a time with time to see if anything pops up. There isn't anything that I can see or figure out that triggered this on the 27th but I am still actively looking. The only new items to the network are the Amazon stuff. The rest has been there for more than 6 months up to several years without a problem. 

0 Kudos
Reply
Highlighted
  • 11.96K
  • 797
  • 3.54K
Very Insightful Person
Very Insightful Person
380 Views
Message 87 of 123
Flag for a moderator

Re: Finally had it with Virgin(I sound like a broken record)

Got to say, Gem's advice is sound.  I would assume that Kev will feedback as and when new reports are generated.

Still going to be an uphill struggle, as its not necessarily the case that a compromised device will start broadcasting as soon as it is reconnected. The one wrinkle I can think of is that largely, specific malware uses specific ports. So you could leverage that and have wireshark look at those in the first instance, it may narrow down some bits and bobs for you. Concentrate on the Trojans first, because if they are still active, new malware can arrive on your system at any time.

Dont forget that the 27th is a useful reference point, but NOT an absolute, because as Gem has already pointed out, malware can lie dormant after the initial infection.

 

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

Mark as Helpful Answer if I've helped

0 Kudos
Reply
Highlighted
  • 186
  • 0
  • 11
deckhanddave
Dialled in
370 Views
Message 88 of 123
Flag for a moderator

Re: Finally had it with Virgin(I sound like a broken record)

Hi 

Thanks for the input. I've ran Defender off line and online scans also Microsofts Safety Scanner, no hits. I did as full scans and then individual partitions and no hits. Yesterday, my wifi kept dropping and I lost much of my interactive TV service and the V6 box connected to wifi. It became such a mess that I just unplugged everything and then connected the new router. I've got an engineer here checking the wires etc but he says it's looking fine up to now. He's now doing whatever outside. I am now connecting every thing back up but only selected bits at a time.I'm looking into purchasing either my own router and/or firewall. The engineers just finished and confirmed that everything is fine from his side of things so all this trouble is from the router/network. This router is working ok so it's down to adding IoT stuff back bit by bit. Later today I'm going to connect my networked HDDs direct to my laptop and scan them again whilst disconnected from the network, just to be sure. If anyone sees a flaw in my methodology please let me know. Thanks to everyone as always.

0 Kudos
Reply
Highlighted
  • 4.41K
  • 502
  • 1.44K
Very Insightful Person
Very Insightful Person
361 Views
Message 89 of 123
Flag for a moderator

Re: Finally had it with Virgin(I sound like a broken record)

Having had quick Google of some of the infections listed by Kev and the Windows ones at least seem like a very cunning bunch of programs that are adept at changing to avoid detection. I'd suggest trying at least one other Malware removal tool, there are plenty of free trials available.  I believe the Microsoft AV/Malware offerings are a lot better than they used to be but I can remember when they were very poor and have never trusted them since.

Maybe booting the laptop with an AV rescue disk to avoid any compromised Windows boot files, if you haven't already.

______________________
Scott

My setup: V6 TV box, M350 Fibre broadband with Hub 3 in modem mode connected to a Netgear R7000 router. Telewest/VM user since 2001.

As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.

Click to learn more about VIP

Use Kudos to say thanks

 

Mark as Helpful Answer if I've helped

Highlighted
  • 186
  • 0
  • 11
deckhanddave
Dialled in
334 Views
Message 90 of 123
Flag for a moderator

Re: Finally had it with Virgin(I sound like a broken record)

I like your train of thought there Scott. I've also been toying with the idea of this- https://www.avg.com/en-gb/avg-go-tech-support

It  isn't cheap but I'm thinking it may be worthwhile as I am rebuilding my network from the ground up. Changes I am thinking of doing are 

My own router

Possibly an additional hardware firewall

New Antivirus and malware software, possibly AVG to fit in with the tech support service if I do it.

Re check each networked HDD on my laptop whilst disconnected from the internet, possibly replacing them with a 5 bay NAS drive to allow for Raid and future expansion.

I'm determined not to have this happen again as this is like trying to knit clouds. Also, at present, whilst knowing it was the ip that was blocked due to malware, the only culprit appears to have been the old router. Unless it had been hacked somehow. So until I get to the bottom of it, this could happen all over again at any time.

For the record, I have Sharkwired several ports with nothing showing over 24hr periods, ports included were 23 and 25 both on wifi and hotspot. I did some others from the list of malware faves but it was taking days to do just one so stopped after getting no hits. I am now at the stage I have changed router and everything is working fine. I connected my laptop after again checking it with Microsoft  Security scanner and Defender, again it came back clear. I have now reconnected two phones both of which run AVG. I am just running Microsoft Windows Malicious software removal tool before I go any further and add anything else, I'll post the results.

0 Kudos
Reply