Internet was blocked for a so called virus????????

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
I Plan to Stick Around
Posts: 20

Re: Internet was blocked for a so called virus????????

I checked my ip here:
http://botnet.global.sonicwall.com/view
and
https://checkip.kaspersky.com/

and it says my ip is NOT listed. I checked back when Rogers sent me the email. What's up Rogers?

Highlighted
I've Been Here Awhile
Posts: 2

Re: Internet was blocked for a so called virus????????

I have the same problem as @ewong1 , @stockylobster and @wylee , this problem has been persisting for more than a month now. 

 

IP 99.245.##.### .
data: SOURCE TIME: 2020-08-09 01:51:55Z
IP: 99.245.##.### .
ASN: 812
AS NAME: ROGERS-COMMUNICATIONS, CA
MALWARE FAMILY: isrstealer
TYPE: botnet drone
DESCRIPTION: This host is most likely infected with malware.
DESTINATION IP: 195.22.26.248
DESTINATION PORT: 80
PROTOCOL: 6
UUID
: d1681bd5-16c6-42df-806b-ea29ab6cb32c

 

Different UUIDs for each of the 4 emails I've received.

Took my laptops to Geek Squad and they ran Malwarebytes, Eset, Norton, and Webroot SecureAnywhere but only found some PUPs and PUAs  unrelated to the botnets.

Also running a hitron modem, but not bridged.

 

Were you able to find the source of the malware?  And in the meantime how should I go about blocking the destination IP on my modem?

Highlighted
Moderator
Moderator
Posts: 1,285

Re: Internet was blocked for a so called virus????????

Hello @wane8!

 

Welcome to our Community!

 

I know it can be frustrating to track down the root source of a malware infection within your home network. It looks like you've done your due diligence thus far by checking all your laptops.

 

Have you checked your other devices as well? If you have any IOT devices they can be infected with malware as well. I've also heard of Android phones getting infected too.

 

Unfortunately, it's no longer just our computers that are open to this kind of attack. Potentially just about any device connected to the Internet could be impacted. 

 

The isrstealer is a keystroke logger from what I understand though, so it's most likely on a device that does have a keyboard. A keystroke logger could be used to steal a lot of personal information from an infected device or network. Once you do find this malware, I would highly recommend that you change all your passwords and protect your accounts with Two-Factor Authentication whenever possible.

 

Regards,

RogersCorey

Highlighted
I've Been Around
Posts: 1

Re: Internet was blocked for a so called virus????????

Hi there --- so I have the same issue, received an email yesterday indicating that there's a virus with one of our devices at home. I did ran some virus scanner like Avast, Malwarebytes, AVG on computers and phone devices and couldn't find an issue. 

 

I'm stuck as to how to approach or solve this issue now. Can someone kindly provide some advice please. Thank you! 

 

ASN: 812
AS NAME: ROGERS-COMMUNICATIONS, CA
MALWARE FAMILY: quant
TYPE: botnet drone
DESCRIPTION: This host is most likely infected with malware.
DESTINATION IP: 195.22.26.248
DESTINATION PORT: 80
PROTOCOL: 6
UUID
: 39e04aac-f89c-47d9-b7d6-9f67b51c6f7a

 

Highlighted
Resident Expert
Resident Expert
Posts: 1,288

Re: Internet was blocked for a so called virus????????


@wane8 wrote:

this problem has been persisting for more than a month now. 

 

IP 99.245.##.### .
data: SOURCE TIME: 2020-08-09 01:51:55Z
IP: 99.245.##.### .
ASN: 812
AS NAME: ROGERS-COMMUNICATIONS, CA
MALWARE FAMILY: isrstealer
TYPE: botnet drone
DESCRIPTION: This host is most likely infected with malware.
DESTINATION IP: 195.22.26.248
DESTINATION PORT: 80
PROTOCOL: 6
UUID
: d1681bd5-16c6-42df-806b-ea29ab6cb32c

 

Different UUIDs for each of the 4 emails I've received.


So... this alert would have occurred at 9:51:55 PM EDT on August 8.  Do you know what computer you would have been using or what devices would have been active on your network at that time, and at the times shown in the other alerts?

 

Took my laptops to Geek Squad and they ran Malwarebytes, Eset, Norton, and Webroot SecureAnywhere but only found some PUPs and PUAs  unrelated to the botnets.


Have you received any other alerts since you got your systems disinfected?  Rogers most likely sent you the alert after detecting network traffic with a known malware signature (HTTP traffic with a very specific User-Agent string in the header), similar to the detection method shown here:

 

https://community.rsa.com/community/products/netwitness/blog/2016/12/07/detecting-isr-variants-using...

 

and apparently, the active malware has cross-platform variants, and the infection can be seen as new/unknown browser extensions and/or innocent-looking installed applications.



Highlighted
I've Been Here Awhile
Posts: 2

Re: Internet was blocked for a so called virus????????

Hi @-G-  and @RogersCorey , thank you very much for your quick replies and help!

 

So... this alert would have occurred at 9:51:55 PM EDT on August 8.  Do you know what computer you would have been using or what devices would have been active on your network at that time, and at the times shown in the other alerts?

Does this mean the source time is not running on EDT? I had actually just finished a virus scan session with Geek Squad on one of the laptops at 8pm EDT Aug 8 with no botnets found.  There was also another laptop running at the time (which was scanned by Geek squad a week ago and found clean as well), android phones (also scanned and clean), a TV android box and security cameras.  One of the email alerts lists the source time at Jul 13, 8:51am (which is 4:51am EDT?), but none of my devices were switched on at that time besides my security cameras.

 

Rogers tech support had also informed me the source time stated in the email is not the time the hit occurs, but rather the time of their security scans, which left me quite confused as to when the violations actually happened.

 

Have you received any other alerts since you got your systems disinfected?  Rogers most likely sent you the alert after detecting network traffic with a known malware signature (HTTP traffic with a very specific User-Agent string in the header), similar to the detection method shown here:

 

https://community.rsa.com/community/products/netwitness/blog/2016/12/07/detecting-isr-variants-using...

 

and apparently, the active malware has cross-platform variants, and the infection can be seen as new/unknown browser extensions and/or innocent-looking installed applications.


The most recent scan and disinfect done by Geek Squad was on Aug 8, 8PM, but seeing as the most recent source time stated in the email was at 9:51PM it looks like the issue wasn't resolved.  Also many thanks for the site link - I'm not sure I fully understand the contents of the webpage, but I did check out the  "Scan results for an ISR binary" page and compared them with previous scan logs from my laptops with no matches. This might be a far stretch, but is it possible for a botnet to sense when an AV scan is being performed on the laptop, upload itself onto the home wi-fi network, then re-download itself onto the laptop after the scan is finished to escape detection completely? Also, would a botnet be able to infect other devices on the same network?

 

In reply to @RogersCorey ,

 

"The isrstealer is a keystroke logger from what I understand though, so it's most likely on a device that does have a keyboard. "

 

That's a good point - if so, would it be possible for isrstealer to infect my TV android box? That's the only device connected to my network but not scanned, aside from the security cameras.  It also has an on-screen keyboard.

 

Again, many thanks for your help and input.  I'm at a loss on what to do as this is my final warning before suspension, so your insights are greatly appreciated.

Highlighted
Resident Expert
Resident Expert
Posts: 1,288

Re: Internet was blocked for a so called virus????????


@wane8 wrote:

Does this mean the source time is not running on EDT? .


The time of the alert shown in your post was 2020-08-09 01:51:55Z , or Zulu Time, which is equivalent to UTC, and EDT is four hours behind UTC.

 

Rogers tech support had also informed me the source time stated in the email is not the time the hit occurs, but rather the time of their security scans, which left me quite confused as to when the violations actually happened.


Okay, but this is not the kind of alert that I would expect to be triggered by a network scan.

 

An active scan detects open TCP and UDP ports, where devices under your control are responding to connection attempts from the Internet.  e.g. If Rogers detects active NetBIOS listeners, you might unknowingly be sharing a disk/directory (very publicly!) and your private data could be exposed.  If Rogers detects that your gateway is responding to UPnP SSDP M-SEARCH request, botnets could detect this as well and exploit your systems to launch a reflection-based DDoS attack on their targets.

 

In your case, somebody or something detected suspicious traffic coming from your network, because one of your devices was sending traffic (likely matching a specific signature) to some server on the Internet.  (You were apparently connecting to some system in Portugal, a server that was probably also hacked and infected with malware.)

 

Sometimes, such alerts initially come from a cyber security research organization.  When a criminal botnet gets taken down, non-malicious servers are often left running in their place so that unknowing victims can be alerted that they have been infected.

 

Traffic from infected systems can also be picked up using deep packet inspection, and this is what I had assumed triggered your alert from Rogers.

 

However, while these alerts identify a real problem, it is frustrating when they can't identify the source on your network... and that can't really happen unless our Internet routers/firewalls/gateways can also play an active role in threat detection and mitigation.

 

This might be a far stretch, but is it possible for a botnet to sense when an AV scan is being performed on the laptop, upload itself onto the home wi-fi network, then re-download itself onto the laptop after the scan is finished to escape detection completely? Also, would a botnet be able to infect other devices on the same network?


Keep in mind that AV scanners can only detect malicious software that has a known signature and that is also known to them.  Some malware is very stealthy and can hide from conventional anti-virus tools.  It is also definitely possible for sophisticated malware to detect vulnerable systems/devices on your network and infect them as well.



Highlighted
I've Been Here Awhile
Posts: 2

Re: Internet was blocked for a so called virus????????

So is there any real solution as I am getting email now stating it’s final notice. Isn’t it Rogers responsibility to provide safe and secure internet? I am totally confused as have checked all devices and no one could find anything.
I also checked with my friends who are not using Rogers and none of them are aware of any such activity or emails by their service providers.
I am using Rogers for years and years and really want to keep it but these emails and the threat of getting personal info stolen just scares
Highlighted
Resident Expert
Resident Expert
Posts: 1,288

Re: Internet was blocked for a so called virus????????

@As2020  What specific security alerts(s) are you receiving and have you contacted Rogers Tech Support for assistance?  Is the problem related to the configuration of a device on your network or were the warnings triggered due to malicious network traffic originating from your IP address?



Highlighted
I've Been Around
Posts: 1

Re: Internet was blocked for a so called virus????????

I just got this also, exact same malware family and type, same IP address.  What do i do?