Internet suspension warning, but unable to find malware

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
I've Been Here Awhile
Posts: 4

Internet suspension warning, but unable to find malware

I've been contacted a few times in the last month by Rogers (after cutting off my internet, so I guess it's legit) that I have Malware on my network.  We took all of our computers to the shop and the technician said he found a thing and removed it, and so we though it was fixed.

 

It's not.  And I'm suppose to find this thing within 48 hours or my internet is suspended for a week.  I start teaching next week, and I do not think my students will be pleased if that happens... Heck, if they are just going to disconnect with no warning, I may have to just switch providers.

 

I ran Malwarebytes with Rootkit Scan on both my 2 Windows devices with no hits. I've also run full antivirus scans,  and the only hit I've found is on my university's emergency notification software that came preinstalled (guess I don't need that this semester).  I've run Malwarebytes (Full Scan) and Avast Mobile Security on my Android phone with no hits either.  I don't know what else I can do to find whatever it is they want me to look for. What else can I do to try to find this thing?  The Rogers person on the phone has been frustratingly vague about... any information.  She was only able to say that two dates (no times) and that it was labelled "Malware Virus", and pointed me to download Rogers Online Protection (which fails with "We were unable to complete your transaction at this time. Please call 1-888-ROGERS1 to order the service.", and I'm not sure it'll be better than an antivirus).

 

Is there someway for me to get more information on what device might be infected?  Or install something to monitor network traffic?  Or configure my modem to do something?  My modem is a CODA-4582U.

Solved! Go to Solution.

Accepted Solutions
Highlighted
Resident Expert
Resident Expert
Posts: 1,289

Re: Internet suspension warning, but unable to find malware

@TK2000  What specific malware did Rogers detect?  Was the source IP address, listed on the Rogers malware report, actually the WAN IP address of your modem?  If it is different, that would support the theory that this traffic might have originated from a cloned modem.

 

Did the report indicate that you have an infected device that was actually sending malicious traffic or that you have devices on your network that were responding to network scans which could be used by botnets to launch an attack?

 

How many devices do you have connected to your home network?  Can you trace each MAC address that is connected to your network to a specific device?  (You may find the MACVendors Lookup Tool or the Wireshark OUI Lookup Tool helpful to identify the manufacturer of the device.)

 

For malware the malware case, if you have ruled out your computers and smartphones, other likely culprits are smart TVs, media players or other devices where you can install (potentially infected) apps.  Also IoT devices can become infected from the apps that interact with them.

 

Hopefully, you are not dealing with an actual infection but a network configuration issue, or something that can be fixed through a firmware update.



View solution in original post


All Replies
Highlighted
Resident Expert
Resident Expert
Posts: 14,245

Re: Internet suspension warning, but unable to find malware

I have seen quite a few people with this lately on here... 

I am wondering if there is one of two things going on here..

A ) That its triggering from another device, not a PC or phone.   That there can be a compromised device of another form on the network?  Do you have anything else internet connected on the network?  Wireless lights, cameras, etc?  Many of them have firmware updates (usually available to update through the app for it).

B)  That these are triggered from cloned modems.
Now that most people are on unlimited plans.. people are not necessarily watching their usage anymore.
That if someone out there is using a cloned modem, cloning your MAC address, it would look like any usage, etc is all coming from your account.   People using these illegal cloned modems, are usually using them for bad purposes.   Such as illegal downloading, as well as could be running MAILING, SPAM, VIRUS bots, which would trigger these warnings, on YOUR account.
In these cases.. your best bet would be to swap the modem. 
(though not as sure how easy that is right now with covid stuff, etc)



Highlighted
I've Been Here Awhile
Posts: 4

Re: Internet suspension warning, but unable to find malware

Those are interesting hypotheses.  I have a VoIP phone that I've unplugged already (though not before the flagged dates).

 

How would I go about initiating a modem swap?  Do I just show up at a store?  Do I have to go through phone support?

Highlighted
Resident Expert
Resident Expert
Posts: 1,289

Re: Internet suspension warning, but unable to find malware

@TK2000  What specific malware did Rogers detect?  Was the source IP address, listed on the Rogers malware report, actually the WAN IP address of your modem?  If it is different, that would support the theory that this traffic might have originated from a cloned modem.

 

Did the report indicate that you have an infected device that was actually sending malicious traffic or that you have devices on your network that were responding to network scans which could be used by botnets to launch an attack?

 

How many devices do you have connected to your home network?  Can you trace each MAC address that is connected to your network to a specific device?  (You may find the MACVendors Lookup Tool or the Wireshark OUI Lookup Tool helpful to identify the manufacturer of the device.)

 

For malware the malware case, if you have ruled out your computers and smartphones, other likely culprits are smart TVs, media players or other devices where you can install (potentially infected) apps.  Also IoT devices can become infected from the apps that interact with them.

 

Hopefully, you are not dealing with an actual infection but a network configuration issue, or something that can be fixed through a firmware update.



View solution in original post

Highlighted
Resident Expert
Resident Expert
Posts: 1,289

Re: Internet suspension warning, but unable to find malware


@TK2000 wrote:

How would I go about initiating a modem swap?  Do I just show up at a store?  Do I have to go through phone support?


I think that you can swap the CODA modem at your local Rogers store.  However, you will first need to call Rogers tech support.  They need to generate an order in the system for the swap; the store would then process the swap.  (Make sure that you get a receipt for any hardware that you return.)  Tech support can probably also arrange for a replacement to get shipped to you.

 

You should also ask the support tech if they have any way to investigate whether your modem could have been cloned, or if they check to see whether your modem's MAC address is currently active on multiple CMTSs.



Highlighted
I've Been Here Awhile
Posts: 4

Re: Internet suspension warning, but unable to find malware

Thanks everyone.  I called tech support back again, and this time reached someone who was more helpful.   I'll post information here in case it is helpful for others.  They sent me a timestamped log entry that included the following fragment:

 

                MALWARE FAMILY: minerpanel

                TYPE: botnet drone

                DESCRIPTION: This host is most likely infected with malware.

                DESTINATION IP: 195.22.26.248

                DESTINATION PORT: 80

 

I did some digging and the IP address seems to be a sinkhole operated by Anubis.  Traffic to this IP may or may not be malicious.  More links from these links:

 

https://www.reddit.com/r/techsupport/comments/ifetyd/isp_stating_that_i_have_a_malware_infection_on/

https://www.reddit.com/r/antivirus/comments/hhwich/warning_from_isp_malware_on_my_infrastructure/

 

The timestamp seems to exclude my main devices.  The tech said there were open port configurations, and I don't think me or my family put those in, so we've reset the modem.  He think it should resolve the issue, and left a note on my account to that effect, and to ask them to warn me if they see suspicious before disconnecting from the network, so I'm not dropped mid-lecture.

 

Hopefully this will no longer be an issue.  Fingers crossed!

Highlighted
Resident Expert
Resident Expert
Posts: 1,289

Re: Internet suspension warning, but unable to find malware


@TK2000 wrote:

The timestamp seems to exclude my main devices.


If I remember correctly, the timestamp in the Rogers malware alert is shown for the "Zulu" time zone, which is equivalent to GMT.  You will need to subtract 4 hours to convert this to EDT or 5 hours to convert to EST.



Highlighted
I've Been Here Awhile
Posts: 4

Re: Internet suspension warning, but unable to find malware

That's what I thought too.  The tech sent me one of the logs, which has the following timestamp.

 

> data: SOURCE TIME: 2020-08-26 01:02:57Z

 

But when I asked him for the time in EST of the latest event, he said 8-28 7AM.  Which, incidentally, was what the first tech also said.  So I'm guessing this timestamp is either something else, or there is another log entry they are referring to.

 

Regardless, the only actionable difference would be whether I will get my parents to scan their phones as well, and I'll have them do that just to be safe.

Highlighted
Resident Expert
Resident Expert
Posts: 1,289

Re: Internet suspension warning, but unable to find malware


@TK2000 wrote:

> data: SOURCE TIME: 2020-08-26 01:02:57Z


Converted to local time in Toronto, that would be 2020-08-25 9:02:57 PM EDT

 

As for tracking down the cause of these alerts, what you really need is a router/firewall that can do outbound connection logging.  You need some way to identify the IP address of the device on your internal network that is making connections to 195.22.26.248.  I don't know if your Hitron CODA modem will allow you to do that.