cancel
Showing results for 
Search instead for 
Did you mean: 

Internet was blocked for a so called virus????????

Dantheman2000
I've been around

My internet was blocked twice for apparently having a virus I was not aware of. The second time we called the tech support they told us to do the same procedure as the first using the anti virus  provided over an email. I had done that hole procedure before and no infection was detected on any of my laptops. I was even suggested an anti virus by the second tech guy which I scanned my main laptop and still no infection. So IM very confused on what the problem may be. He told me of a virus that could get by the virus things but even after the one he had recommended to me which is a strong anti virus apparently... Still nothing... And my main laptop is brand new. Im still left confused because I do not know of any virus going on at all. And I can keep having my internet blocked as I'm a college student and really need the internet for my studies. Smiley Frustrated

 

 

***edited labels***

68 REPLIES 68

Re: Internet was blocked for a so called virus????????

stockylobster
I plan to stick around

Just installed Skynet. Would you recommend I turn on AI Protection or is Skynet enough?

Re: Internet was blocked for a so called virus????????

AI Protection is a conundrum.  There's privacy issues as your websites are cleared by Trend Micro, so Trend Micro knows what sites you visit, and then, there's the question of whether or not AI Protection actually indicates if it detects anything.  With Skynet and Diversion running on my 86U, I hadn't seen any records for weeks if not months, but then, I block a number of countries, inbound and outbound, so, perhaps the blocking takes care of a number of potential incidents, but still, I would have expected some indication for AI Protection.  In any event I found that AI Protection caused more stability issues than what it was worth so I disabled it.  For your particular circumstance, perhaps its worth turning it on to see if it indicates anything.  Watch for any problems running the add-ons that you didn't have previous to this.  If that happens, I'd blame it on AI Protection.  

 

Don't know, perhaps Trend Micro has done something to improve the stability?  It might be worth a shot as I haven't run it for a considerable amount of time.  I'm considering loading Suricata to see what turns up.  

 

Note that for country blocking, adding countries to an existing list requires that you reenter the entire existing list plus the new countries.  As that's a paste into the command line, its not difficult.  So, for example, if you had Russia and China in the existing list:

 

cn ru

 

as displayed in that fashion in Skynet, to add other countries you would enter:

 

cn ru pt ro rs 

 

for China Russia Portugal Romania Serbia

 

Whenever you enter a country list of any length, the existing list is removed and then the IP address for each country in the new list is downloaded for blocking purposes.  This list isn't updated after its downloaded, but I don't know if IP blocks assigned to countries changes very much, if at all.  So, to update the country IP address list that corresponds to the entered countries, you would have to enter the same list again, to automatically remove the existing IP list, download the current IP list and automatically load that into the blocking list. 

 

Fwiw, I also run a 68U with the same long country block list.  I don't run Diversion on the 68U as I don't know how the 68U will do for available memory, even with the swap file.   I don't keep track of the 68U's available memory on a regular basis and its been a while since I looked at it. 

Re: Internet was blocked for a so called virus????????

stockylobster
I plan to stick around

I'm getting some data from Skynet:

https://imgur.com/I7iHpGC

 

It appears the culprit is my android box.

 

PS: Thank you for these very useful information! Skynet is awesome!

Re: Internet was blocked for a so called virus????????

ewong1
I've been around

I have the same issue as @stockylobster 

 

IP 99.228.###.##.
data: SOURCE TIME: 2020-07-13 02:20:37Z
IP: 99.228.###.##
ASN: 812
AS NAME: ROGERS-COMMUNICATIONS, CA
MALWARE FAMILY: isrstealer
TYPE: botnet drone
DESCRIPTION: This host is most likely infected with malware.
DESTINATION IP: 195.22.26.248
DESTINATION PORT: 80
PROTOCOL: 6
UUID
: d73c3a63-d9c2-43df-93c7-91ed73c8fd4d

 

I have received the same email 3 times but with a different UUID.

I ran malwarebytes on my laptop and desktop and found nothing. I even factory reset them.

I have a hitron-cgn3 modem bridged to a d-link dir-859 router.

I have blocked the destination IP.

 

Anyone know how I can find the infected device?

 

Re: Internet was blocked for a so called virus????????

Hello, @ewong1,

 

Thank you for your post and welcome to the Community. 
I hope you and your loved ones are doing well and staying safe. 

I understand your desire to know what is causing this notification and you've certainly come to the right place to find out more.

If you're experiencing the same issue as @stockylobster, I'd recommend you to have a look at @Datalink's reply to his problem. If you've already gone through those steps and you need further assistance, please let us know! 


RogersRob

Re: Internet was blocked for a so called virus????????

wylee
I've been around

I have the same problem as @ewong1 . How did you block the destination IP?

Re: Internet was blocked for a so called virus????????

Ann75
I've been here awhile
We never figured out where the virus was, even after taking our laptops to a shop. We end up changing our provider

Re: Internet was blocked for a so called virus????????

stockylobster
I plan to stick around
It could be a false positive. One ip address could be sharing the same ip for multiple services.

Re: Internet was blocked for a so called virus????????

I checked my ip here:
http://botnet.global.sonicwall.com/view
and
https://checkip.kaspersky.com/

and it says my ip is NOT listed. I checked back when Rogers sent me the email. What's up Rogers?

Re: Internet was blocked for a so called virus????????

wane8
I've been here awhile

I have the same problem as @ewong1 , @stockylobster and @wylee , this problem has been persisting for more than a month now. 

 

IP 99.245.##.### .
data: SOURCE TIME: 2020-08-09 01:51:55Z
IP: 99.245.##.### .
ASN: 812
AS NAME: ROGERS-COMMUNICATIONS, CA
MALWARE FAMILY: isrstealer
TYPE: botnet drone
DESCRIPTION: This host is most likely infected with malware.
DESTINATION IP: 195.22.26.248
DESTINATION PORT: 80
PROTOCOL: 6
UUID
: d1681bd5-16c6-42df-806b-ea29ab6cb32c

 

Different UUIDs for each of the 4 emails I've received.

Took my laptops to Geek Squad and they ran Malwarebytes, Eset, Norton, and Webroot SecureAnywhere but only found some PUPs and PUAs  unrelated to the botnets.

Also running a hitron modem, but not bridged.

 

Were you able to find the source of the malware?  And in the meantime how should I go about blocking the destination IP on my modem?

Re: Internet was blocked for a so called virus????????

Hello @wane8!

 

Welcome to our Community!

 

I know it can be frustrating to track down the root source of a malware infection within your home network. It looks like you've done your due diligence thus far by checking all your laptops.

 

Have you checked your other devices as well? If you have any IOT devices they can be infected with malware as well. I've also heard of Android phones getting infected too.

 

Unfortunately, it's no longer just our computers that are open to this kind of attack. Potentially just about any device connected to the Internet could be impacted. 

 

The isrstealer is a keystroke logger from what I understand though, so it's most likely on a device that does have a keyboard. A keystroke logger could be used to steal a lot of personal information from an infected device or network. Once you do find this malware, I would highly recommend that you change all your passwords and protect your accounts with Two-Factor Authentication whenever possible.

 

Regards,

RogersCorey

Re: Internet was blocked for a so called virus????????

Blue_sky2
I've been around

Hi there --- so I have the same issue, received an email yesterday indicating that there's a virus with one of our devices at home. I did ran some virus scanner like Avast, Malwarebytes, AVG on computers and phone devices and couldn't find an issue. 

 

I'm stuck as to how to approach or solve this issue now. Can someone kindly provide some advice please. Thank you! 

 

ASN: 812
AS NAME: ROGERS-COMMUNICATIONS, CA
MALWARE FAMILY: quant
TYPE: botnet drone
DESCRIPTION: This host is most likely infected with malware.
DESTINATION IP: 195.22.26.248
DESTINATION PORT: 80
PROTOCOL: 6
UUID
: 39e04aac-f89c-47d9-b7d6-9f67b51c6f7a

 

Re: Internet was blocked for a so called virus????????

-G-
Resident Expert
Resident Expert

@wane8 wrote:

this problem has been persisting for more than a month now. 

 

IP 99.245.##.### .
data: SOURCE TIME: 2020-08-09 01:51:55Z
IP: 99.245.##.### .
ASN: 812
AS NAME: ROGERS-COMMUNICATIONS, CA
MALWARE FAMILY: isrstealer
TYPE: botnet drone
DESCRIPTION: This host is most likely infected with malware.
DESTINATION IP: 195.22.26.248
DESTINATION PORT: 80
PROTOCOL: 6
UUID
: d1681bd5-16c6-42df-806b-ea29ab6cb32c

 

Different UUIDs for each of the 4 emails I've received.


So... this alert would have occurred at 9:51:55 PM EDT on August 8.  Do you know what computer you would have been using or what devices would have been active on your network at that time, and at the times shown in the other alerts?

 

Took my laptops to Geek Squad and they ran Malwarebytes, Eset, Norton, and Webroot SecureAnywhere but only found some PUPs and PUAs  unrelated to the botnets.


Have you received any other alerts since you got your systems disinfected?  Rogers most likely sent you the alert after detecting network traffic with a known malware signature (HTTP traffic with a very specific User-Agent string in the header), similar to the detection method shown here:

 

https://community.rsa.com/community/products/netwitness/blog/2016/12/07/detecting-isr-variants-using...

 

and apparently, the active malware has cross-platform variants, and the infection can be seen as new/unknown browser extensions and/or innocent-looking installed applications.

Re: Internet was blocked for a so called virus????????

wane8
I've been here awhile

Hi @-G-  and @RogersCorey , thank you very much for your quick replies and help!

 

So... this alert would have occurred at 9:51:55 PM EDT on August 8.  Do you know what computer you would have been using or what devices would have been active on your network at that time, and at the times shown in the other alerts?

Does this mean the source time is not running on EDT? I had actually just finished a virus scan session with Geek Squad on one of the laptops at 8pm EDT Aug 8 with no botnets found.  There was also another laptop running at the time (which was scanned by Geek squad a week ago and found clean as well), android phones (also scanned and clean), a TV android box and security cameras.  One of the email alerts lists the source time at Jul 13, 8:51am (which is 4:51am EDT?), but none of my devices were switched on at that time besides my security cameras.

 

Rogers tech support had also informed me the source time stated in the email is not the time the hit occurs, but rather the time of their security scans, which left me quite confused as to when the violations actually happened.

 

Have you received any other alerts since you got your systems disinfected?  Rogers most likely sent you the alert after detecting network traffic with a known malware signature (HTTP traffic with a very specific User-Agent string in the header), similar to the detection method shown here:

 

https://community.rsa.com/community/products/netwitness/blog/2016/12/07/detecting-isr-variants-using...

 

and apparently, the active malware has cross-platform variants, and the infection can be seen as new/unknown browser extensions and/or innocent-looking installed applications.


The most recent scan and disinfect done by Geek Squad was on Aug 8, 8PM, but seeing as the most recent source time stated in the email was at 9:51PM it looks like the issue wasn't resolved.  Also many thanks for the site link - I'm not sure I fully understand the contents of the webpage, but I did check out the  "Scan results for an ISR binary" page and compared them with previous scan logs from my laptops with no matches. This might be a far stretch, but is it possible for a botnet to sense when an AV scan is being performed on the laptop, upload itself onto the home wi-fi network, then re-download itself onto the laptop after the scan is finished to escape detection completely? Also, would a botnet be able to infect other devices on the same network?

 

In reply to @RogersCorey ,

 

"The isrstealer is a keystroke logger from what I understand though, so it's most likely on a device that does have a keyboard. "

 

That's a good point - if so, would it be possible for isrstealer to infect my TV android box? That's the only device connected to my network but not scanned, aside from the security cameras.  It also has an on-screen keyboard.

 

Again, many thanks for your help and input.  I'm at a loss on what to do as this is my final warning before suspension, so your insights are greatly appreciated.

Re: Internet was blocked for a so called virus????????

-G-
Resident Expert
Resident Expert

@wane8 wrote:

Does this mean the source time is not running on EDT? .


The time of the alert shown in your post was 2020-08-09 01:51:55Z , or Zulu Time, which is equivalent to UTC, and EDT is four hours behind UTC.

 

Rogers tech support had also informed me the source time stated in the email is not the time the hit occurs, but rather the time of their security scans, which left me quite confused as to when the violations actually happened.


Okay, but this is not the kind of alert that I would expect to be triggered by a network scan.

 

An active scan detects open TCP and UDP ports, where devices under your control are responding to connection attempts from the Internet.  e.g. If Rogers detects active NetBIOS listeners, you might unknowingly be sharing a disk/directory (very publicly!) and your private data could be exposed.  If Rogers detects that your gateway is responding to UPnP SSDP M-SEARCH request, botnets could detect this as well and exploit your systems to launch a reflection-based DDoS attack on their targets.

 

In your case, somebody or something detected suspicious traffic coming from your network, because one of your devices was sending traffic (likely matching a specific signature) to some server on the Internet.  (You were apparently connecting to some system in Portugal, a server that was probably also hacked and infected with malware.)

 

Sometimes, such alerts initially come from a cyber security research organization.  When a criminal botnet gets taken down, non-malicious servers are often left running in their place so that unknowing victims can be alerted that they have been infected.

 

Traffic from infected systems can also be picked up using deep packet inspection, and this is what I had assumed triggered your alert from Rogers.

 

However, while these alerts identify a real problem, it is frustrating when they can't identify the source on your network... and that can't really happen unless our Internet routers/firewalls/gateways can also play an active role in threat detection and mitigation.

 

This might be a far stretch, but is it possible for a botnet to sense when an AV scan is being performed on the laptop, upload itself onto the home wi-fi network, then re-download itself onto the laptop after the scan is finished to escape detection completely? Also, would a botnet be able to infect other devices on the same network?


Keep in mind that AV scanners can only detect malicious software that has a known signature and that is also known to them.  Some malware is very stealthy and can hide from conventional anti-virus tools.  It is also definitely possible for sophisticated malware to detect vulnerable systems/devices on your network and infect them as well.

Re: Internet was blocked for a so called virus????????

As2020
I've been here awhile
So is there any real solution as I am getting email now stating it’s final notice. Isn’t it Rogers responsibility to provide safe and secure internet? I am totally confused as have checked all devices and no one could find anything.
I also checked with my friends who are not using Rogers and none of them are aware of any such activity or emails by their service providers.
I am using Rogers for years and years and really want to keep it but these emails and the threat of getting personal info stolen just scares

Re: Internet was blocked for a so called virus????????

-G-
Resident Expert
Resident Expert

@As2020  What specific security alerts(s) are you receiving and have you contacted Rogers Tech Support for assistance?  Is the problem related to the configuration of a device on your network or were the warnings triggered due to malicious network traffic originating from your IP address?

Re: Internet was blocked for a so called virus????????

GSGSGS
I've been around

I just got this also, exact same malware family and type, same IP address.  What do i do?

Re: Internet was blocked for a so called virus????????

RogersJo
Retired Moderator
Retired Moderator

Hey @GSGSGS

 

Congrats on your first post and welcome to the Rogers Community Forums! 🙌 I hope you're staying safe and sound. I know first hand how frustrating it is to be affected with a virus and how inconvenient it is. Are you able to find the root cause of the malware? Have you checked your other devices as well? 

 

Our Resident Expert @Datalink had a great response pertaining to this very issue. You can check out his post HERE

 

Please let us know if that helps and feel free to reach out in the event that you require additional assistance! 

 

Cheers! 

 

RogersJo 

Re: Internet was blocked for a so called virus????????

I experienced same issue for the last couple of months ,  had my internet services suspended a few times.  Ran Malwarebytes ,  AVG and Rogers Anti-virus scan on all my Windows machines per Rogers tech support, also re-install Windows.  Everything came out clean and this is frustrating.  

Finally I added a D-Link router to Rogers modem running as bridge mode , configure DIR-2640 firewall rule to block all internal DHCP IP addresses to connect to DESTINATION IP: 195.22.26.248 and  DESTINATION PORT: 80 .  Hopefully this will stop Rogers Internet suspension , if this does not work, I most likely switch to another provider.  

I am kind of disappointed that Rogers known this is issue since 2014 and they did not take action to secure customers router or provide solution to block Malware Botnet drone.  Rather Roger suspends internet service to upset customers.

Re: Internet was blocked for a so called virus????????

Unfortunately, outside of blocking ports (which, could potentially block GOOD software as well), there is not much they can do for protection wise.
There are so many 100's of 1000's of internet connectivity type devices, there is no way they could have/provide something to protect each one.  Any end user devices are always up to the end user.

That being said.. seeing more of these lately.. i am thinking of 1-2 things (leaning towards number 2)

1 ) With other internet connected devices (outside of phones, and computers), there are some other internet connected devices which can over time been prone to some hacks, etc over time.   All these sorts of devices often have firmware upgrades available, often through the attached app for them.

2 ) Modem MAC cloning.   People are not noticing this as much now, with unlimited plans, if their usage might be up, etc.
That someone has a modem, using SOMEONE ELSES MAC address cloned onto it.   That to rogers side, anything coming from this modem, would be tied to your account as well.  That the people with these things, are doing things from illegal downloading, to running specifically SPAM, Malware bots, etc.    So any of that bad stuff would be triggering on the real users accounts.
The only real way to try and fix this is to do a modem swap.

Topic Stats