dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
8331
share rss forum feed


Paul928

join:2000-05-06
Haverhill, MA
reply to smith_in_co

Re: Constant Guard Security Alert?

I too have a wireless router, that is pretty well locked down....And no my daughter has never given out the password to anybody! Just out of curiosity, I'm wondering if people that have Constant Guard on their computer are also getting these warnings, or for that matter if a scan is done with Constant Guard, has any such Malware been detected? I also find that between all these programs and scans being run (free or paid) that at least one of them would be able to detect this "mystery" malware! I for one have spent enough of my time on this , and outside of actually doing a format on both my computers, have done all I can do! I am almost tempted to download a copy of Constant Guard to see as an experiment if it picks up on this exploit, even though I have always had a personal policy to keep my computers as clean as I can by not installing resource hog programs like Constant Guard.....Might be worth it though just to ease my own mind.



sortofageek
Runs from Clowns
Premium,Mod
join:2001-08-19
kudos:21
reply to Paul928

Paul,

Here is an example of what I sent ComcastSteve. He confirmed it was a "phishing expedition."

Notice the two bolded email domains. I would expect an email from Comcast to come from the comcast.com domain, so I was immediately suspicious.
================================

This morning I got an odd email to one of my Comcast email accounts, one I don't use heavily, just have some political stuff occasionally.

At first glance, I thought the subject was Constant Guard Alert. That struck me as odd since I have not installed Constant Guard.

The title is actually Comcast Guard Alert. Hmmm. It says it is from Comcast@security.com. Another hmmmm.

It has a link it wants me to click. The link is disguised as "Account Reconciliation" which covers the actual link ---> ht tp://butrflydrms213.home.comcast.net

Email headers:

Return-Path: root@wiki.poweroasis.com
Received: from imta31.westchester.pa.mail.comcast.net (LHLO
imta31.westchester.pa.mail.comcast.net) (76.96.62.25) by
sz0115.ev.mail.comcast.net with LMTP; Fri, 15 Jun 2012 21:07:49 +0000 (UTC)
Received: from Ubuntu11x64Svr ([84.92.25.153])
by imta31.westchester.pa.mail.comcast.net with comcast
id Nl7o1j01t3JBZMQ0Xl7oxZ; Fri, 15 Jun 2012 21:07:49 +0000
X-CAA-SPAM: 00000
X-Authority-Analysis: v=2.0 cv=WZ2OmjdX c=1 sm=1
a=p3riUwRaJWU4p/K8+3S3WQ==:17 a=YWNZQc2wkpcA:10 a=HRn4fpiT8EsA:10
a=cVHRbVdmAAAA:8 a=C_IRinGWAAAA:8 a=Baj1MykYeoxCemNOp18A:9
a=p3riUwRaJWU4p/K8+3S3WQ==:117
Received: from root by Ubuntu11x64Svr with local (Exim 4.76)
(envelope-from )
id 1Sfdi5-0006N0-6g
for xxxxxxx@comcast.net; Fri, 15 Jun 2012 22:05:37 +0100
To: xxxxxxx@comcast.net
Subject: Comcast Guard Alert
X-PHP-Originating-Script: 0:send.php
From: comcast@security.com
Content-Type: text/html
Message-Id:
Date: Fri, 15 Jun 2012 22:05:37 +0100
X-Brightmail-Tracker: AAAAAA==
X-Brightmail-Tracker: AAAAAA==

Email message:

Xfinity

Constant Guard Alert

Dear XFINITY Customer,

Please read this entire message.

In an effort to improve our customers' experience,
Comcast has been reviewing some user accounts and sending e-mails that direct customers to an

Account Reconciliation
ht tp://butrflydrms213.home.comcast.net

We appreciate your prompt attention to this important security notice.

Sincerely,

Constant Guard from XFINITY
===========================

Pfish?


--
Join Team Helix * I am praying for these friends .


jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
kudos:2

1 recommendation

reply to smith_in_co

said by smith_in_co:

I can understand that the IPv6 transition is preventing the rollout of new tools and capabilities,

It is actually the reverse: It's not that IPv6 is preventing anything -- it is more that IPv4 NAT is. IPv6 actually enables more things.

said by smith_in_co:

I think the current state of scaring the heck out of your customers with inaccurate and incomplete reports is a disservice to your customers.

While the language of the alerts is written to acknowledge the possibility of false positives, we think it'd be a disservice not to tell customers that we have observed one of their hosts participating in a bot network. Keep in mind that malware removal tools are in their relative infancy compared to, say, anti-virus tools. Bots are designed to be difficult to find and difficult to remove. Were that not the case, bots would not be so successful
getting onto trusted hosts on some of the world's most secure networks -- not to mention your average home LAN.

said by smith_in_co:

As I mentioned in the Comcast Direct Forum please provide the details about what triggers the bot alert and then I and others can work backward from our Router(s) to search for the problem.

What triggers the alert is customers participating in malicious bot networks.
--
JL
Comcast


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to sortofageek

said by sortofageek:

Paul,

Here is an example of what I sent ComcastSteve. He confirmed it was a "phishing expedition."...

Just because you received a phishing email pretending to be from Comcast, does not mean that the OP did. In fact when the OP went to »amibotted.comcast.net/ , that site confirmed that Comcast had indeed identified his connection as being a bot host:
said by Paul928:

According to that link, I am indeed infected with the ad aware virus or something like that...

Not only that, but the post containing the headers from the OP's email to which you replied clearly shows that the email received by the OP was indeed from Comcast.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

smith_in_co

join:2003-12-12
Colorado Springs, CO
reply to jlivingood

What I need to know is what activity or accessing what IP or website Your tool has determined warrants a BOT notification. If you can provide the requested info I at least have a chance of preventing the activity or access at my router and/or computer.



pflog
Bueller? Bueller?
Premium,MVM
join:2001-09-01
El Dorado Hills, CA
kudos:3

1 recommendation

said by smith_in_co:

What I need to know is what activity or accessing what IP or website Your tool has determined warrants a BOT notification. If you can provide the requested info I at least have a chance of preventing the activity or access at my router and/or computer.

It's not Comcast's job to police your LAN or identify the malware. They detected it and notified you. It's in your hands now to find it. Why is it their responsibility to find your bot/malware?
--
"I drank what?" -Socrates

smith_in_co

join:2003-12-12
Colorado Springs, CO

1 recommendation

I'm not asking them to 'correct my lan' what I'm asking is for them to tell me what they have identified that makes their tool think I have a bot.

As you can see in my post what I'm asking for is an IP or dns name that they are seeing activity from my modem to that makes them think one of my devices is hosting a BOT.



pflog
Bueller? Bueller?
Premium,MVM
join:2001-09-01
El Dorado Hills, CA
kudos:3

1 recommendation

said by smith_in_co:

I'm not asking them to 'correct my lan' what I'm asking is for them to tell me what they have identified that makes their tool think I have a bot.

As you can see in my post what I'm asking for is an IP or dns name that they are seeing activity from my modem to that makes them think one of my devices is hosting a BOT.

This is why I like having a FreeBSD (or Linux, etc) type box as a router. I can tcpdump and see what's going on with the network and find it myself.

But yes, if all you want to know is IP or host names, then that seems reasonable. But given the amount of data they must go through, it's not inconceivable that the throw this kind of stuff away once it's reported to save on space.
--
"I drank what?" -Socrates


ropeguru
Premium
join:2001-01-25
Mechanicsville, VA
reply to smith_in_co

pflog beat me too it...


smith_in_co

join:2003-12-12
Colorado Springs, CO

1 recommendation

But their software is supposedly seeing something from my modem's IP to some other point in space. This is the information that I want them to provide Once I know what/where that point is I can locate where the access is coming from at my router.



Paul928

join:2000-05-06
Haverhill, MA

1 recommendation

reply to Paul928

Okay, some interesting developments just happened....I just did a full scan with Superantivirus, and after the scan it found the following:

Trojan.Agent/Gen-UsrMgr
E:\USERS\PAUL\APPDATA\LOCAL\TEMP\PYLC712.TMP.EXE
E:\USERS\PAUL\APPDATA\LOCAL\TEMP\PYL255B.TMP.EXE
E:\USERS\PAUL\APPDATA\LOCAL\TEMP\PYL34A7.TMP.EXE
E:\USERS\PAUL\APPDATA\LOCAL\TEMP\PYL48A3.TMP.EXE
E:\USERS\PAUL\APPDATA\LOCAL\TEMP\PYL9A8A.TMP.EXE
E:\USERS\PAUL\APPDATA\LOCAL\TEMP\PYLAC45.TMP.EXE
E:\USERS\PAUL\APPDATA\LOCAL\TEMP\PYLE027.TMP\PYRUN.EXE
E:\USERS\PAUL\APPDATA\LOCAL\TEMP\PYLE027.TMP.EXE
E:\USERS\PAUL\APPDATA\LOCAL\TEMP\PYLE8D8.TMP.EXE
E:\USERS\PAUL\APPDATA\LOCAL\TEMP\PYLEDF6.TMP.EXE
E:\USERS\PAUL\APPDATA\LOCAL\TEMP\PYLF0A4.TMP.EXE
E:\USERS\PAUL\APPDATA\LOCAL\TEMP\PYLF8DF.TMP.EXE

I then let the program do a cleanup and fix, rebooted, and then rechecked at the "amibotted" link, and now it says I am clean, and no Bots found! So I guess it depends on what program that you are using to detect these things.......just wanted to update things in case someone else gets this infection.


sortofageek
Runs from Clowns
Premium,Mod
join:2001-08-19
kudos:21

1 recommendation

reply to NetFixer

My post simply gave an example of an email which was a phishing message. Nothing more, nothing less.
--
Join Team Helix * I am praying for these friends .


smith_in_co

join:2003-12-12
Colorado Springs, CO
reply to Paul928

Thanks Paul, I did an Admin search for the pyrun file and it didn't come up, I also checked for .exe's in the Appdata/Local/Temp directory none found.

I'll probably download the Superantivirus and give it a try.



Paul928

join:2000-05-06
Haverhill, MA

Yes give it a try....actually I am curious to see if this works for you. Please post back on your findings.


smith_in_co

join:2003-12-12
Colorado Springs, CO

1 edit

Hi Paul,

I ran Super*, It found some tracking cookies (in the HP/Appdata
folders) which considering these are HP computers with HP utilities is not surprising.

It also found some files which it classifies as PUPs but I'm somewhat familiar with these and I'm 99% sure they would not be generating bot traffic.

Anyway, I'm still rather displeased with Comcast since they have not responded in the Comcast Direct forum about what caused their software to log my modem's activity as a BOT notification

As a side note: Century Link just completed laying Fibre across my front yard so I may consider switching ISPs--I'm sure Comcast doesn't care about losing a 25 year customer at least their lack of response to my questions would indicate that is the case.



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

said by smith_in_co:

I'm still rather displeased with Comcast since they have not responded in the Comcast Direct forum about what caused their software to log my modem's activity as a BOT notification

A reluctance to release details for an ISP detected security issue is common for most ISPs (I have dealt with this on numerous occasions when an ISP's auto detection methods or a complaint filed by an outsider would trigger an email warning for me to cease and desist running my »portscan.dcs-net.net site). They don't want to release details of their detection methods because otherwise malware authors and distributors would then have an easy way to redesign their products to avoid detection.

Also, in the case of Comcast's Constant Guard program, I am pretty sure that it is mostly an automated process, and it would probably be extremely difficult to find a Comcast employee with the ability to find out exactly what bot is/was detected, or when it was detected.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

smith_in_co

join:2003-12-12
Colorado Springs, CO

I appreciate the comments, and I can understand the reluctance to release details for fear of making their detection methods known.

But I would think they could at least tell me the IP or name of the website that they believe my modem accessed. Currently the only information they provided me was a name of the bot Adware_generic (pretty generic in itself!) and a time at which the BOT was last seen--as a side note the last seen time was totally wrong when they release the new version of their tool the week of Dec 4th.

So In trying to be a 'good' net citizen what can I do to eliminate the bot?
Assuming the bot is not a false positive to begin with.

Thanks


ExoticFish

join:2008-08-31
Stuarts Draft, VA

Have you tried running Avast ? I read the beginning posts but didn't read all the recent ones so forgive me if running another anti virus program was suggested and tried.
--
»www.VAJeeps.com
»www.BronzedBod.com


smith_in_co

join:2003-12-12
Colorado Springs, CO

4 edits

I haven't specifically tried Avast I may download it and give it a try, the issue I've seen with the less common scanners is that they flag things they shouldn't. For Instance SuperAnti* flagged the VPN software that my daughter uses to connect to her University for coursework, it also flagged the Tencent software (this is instance messaging, video conference and more software that is common in Asia) that my wife and daughter use and it flagged numerous cookies in HP folders that are written by HP utilities.

Among the one's I have tried (and there are probably more)
Norton the Security Suite software and their power eraser,
MSRT (Nov and Dec. versions), Microsoft also has something they refer to as Microsoft Safety Scanner, SuperAnit* and I think some others.

In the particular case of this Adware_generic item in the version of Comcast's software prior to 4-dec they stated in the notification message that this bot would be found and removed by MSRT (which was not the case for me.)



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to smith_in_co

said by smith_in_co:

So In trying to be a 'good' net citizen what can I do to eliminate the bot?
Assuming the bot is not a false positive to begin with.

I don't know about it being a false positive (but that has happened with Comcast's detection of the "DNS Changer" malware).

One possibility is that you may have actually already eliminated the bot (assuming that there is/was a bot). The »amibotted.comcast.net/ site does not do any kind of fresh scan when you visit it, it only reports that Comcast has at some point in time detected what it considers to be bot activity on the IP address from which you are accessing that site. Perhaps jlivingood See Profile or some other Comcast representative who is familiar with how their ConstantGuard scanner works can provide some insight about how long a delay there is before the »amibotted.comcast.net/ site will not report previously detected bot activity. Hopefully it is not like a sexual predator database where you will be in it forever.

Assuming that you are using a router, you might try cloning the MAC address from a PC into the router's WAN interface, and then rebooting both the cable modem (some EMTA modems may require that you remove the battery and/or press a special reset button) and the router. That should get Comcast's DHCP server to assign you a different public IP address, and you can then see if new bot activity is discovered on your new IP address.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

smith_in_co

join:2003-12-12
Colorado Springs, CO

1 edit

It's my understanding that with the 4-dec release, they reset the you may have a bot message after 24 hours (old version was 7 days I think).

Sooo... after 24 hours you won't even know what the last seen time was....

In my case I've been getting the no bot message for two days now. But I don't think I've removed anything that has actually disabled a bot.



goofy01

join:2004-02-05
Hammond, IN
Reviews:
·Comcast

If I remember correctly from before, there was some kind of connection scanner (like ping plotter) that use to check your connection to a few different places to track downtime. This program had a few connections (might have been only one) that were later flagged as part of the botnet network. Not sure if this relates, just pointing out in case you have something like this running.