| |
[VA] False Alarm email about Zeus?I've received email from Cox saying the following: [6.15.2015 25422129] Compromised Computer Notification from Cox Communications
Dear Subscriber,
Cox has identified that one or more of the computers behind your cable modem are likely infected with the Zeus Trojan/bot, also known as Zbot. While this malicious software is not new, it still poses a great risk to your computer and files that reside on your hard drive.
Zeus malware uses keylogging in order to access user names and passwords and infected over 13 million computers worldwide.
We recommend you take the following action:
1. Visit the Microsoft or Symantec website, download and run the FREE removal tool. The web addresses are: »www.microsoft.com/securi ··· scanner/
»www.symantec.com/securit ··· -1402-99
These tools does a great job of finding and cleaning many types of malicious software that may reside on your systems and will specifically target Zeus.
After running the free Microsoft removal tool, if you already have security software installed on your system: 2) Follow your security software's instructions to download the latest updates (also known as "virus definitions") 3) When the new definitions have been loaded, perform a full virus scan on your system.
If you do not already have security software on your computer, we recommend the Cox Security Suite powered by McAfee, which is included at no extra charge with your service.
To install the Cox Security Suite powered by McAfee: 1) Visit »myaccount.cox.net/ and click on Internet Tools 2) Log-in with your primary account User ID 3) Select the Security Suite link to download and install the software 4) When the install is complete, the program will automatically conduct a full scan
If you have any questions regarding this matter, please call us at 800-753-6085 and provide the reference number provided in the subject of this email.
If you would like additional information on the Zeus botnet we recommend these articles:
»www.us-cert.gov/ncas/ale ··· A14-150A
»www.eweek.com/c/a/Securi ··· -544534/
»www.computerworld.com/s/ ··· _malware
Regards,
Cox Customer Safety I've scanned with MSE, Microsoft Safety Scanner, and Malwarebytes with clean result. Could this be a false alarm? |
|
justin..needs sleep Mod join:1999-05-28 2031 Billion BiPAC 7800N Apple AirPort Extreme (2011)
|
justin
Mod
2015-Jun-16 4:20 am
Zbot can be detected by its attempts to contact a C&C server at a specific address or a DNS lookup of a specific host. quote: Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 87.255.51.229 or host name benznflvsgttdydqdguwcem.info on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 87.255.51.229 or benznflvsgttdydqdguwcem.info. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.
I imagine that if this letter is accurate, they logged this from your IP at some point and then associated the IP with your account at the time of the log. Since you can get various tools to specifically scan for Zbot/Zeus and then find if they come up empty, you can work out whether or not your PC currently has an issue. |
|
BryanInPHX Premium Member join:2001-03-06 Phoenix, AZ |
to jpark324
Try running ESET Online Scanner in Safe Mode w/ Networking It catches things others don't in my experience. |
|
|
| |
said by BryanInPHX:Try running ESET Online Scanner in Safe Mode w/ Networking It catches things others don't in my experience. +1 for running the ESET Online Scanner... |
|
| |
to BryanInPHX
ESET Online Scanner showed clean |
|
odogMinister of internet doohickies Premium Member join:2001-08-05 Atlanta, GA |
odog
Premium Member
2015-Jun-16 3:51 pm
How many computers do you have? |
|
1 edit |
1 hmm AVG Virus Remover for Win32/Zbot also showed nothing |
|
Fubar join:2015-01-27 Phoenix, AZ |
to jpark324
Anyone borrow your Wifi lately? |
|
| |
Danniegurl
Anon
2015-Jun-17 9:08 pm
So my grandparents also got this email, my grandfather reported it to cox and they told him it was a scam email.....but it was sent from abuse@cox.net so I'm not entirely sure how this is false? My grandma downloaded the tool and I'm trying to figure out if it's a virus or not. |
|
justin..needs sleep Mod join:1999-05-28 2031 |
to jpark324
Can you post full headers from the email, minus your email address if it appears there? |
|
| |
From: Cox Customer Safety
subject: [6.15.2015 25422129] Compromised Computer Notification from Cox Communications
mailed-by: cox.net |
|
justin..needs sleep Mod join:1999-05-28 2031 |
justin
Mod
2015-Jun-17 11:23 pm
No the full headers. The entire chunk, minus your email or IP address if it appears. |
|
| |
Danniegurl
Anon
2015-Jun-17 11:47 pm
Ok, so my grandmother also called cox and confirmed this was NOT an email sent by them. |
|
| |
That'a relief, but isn't abuse@cox.net theirs? Also the links didn't seem like it was leading to fake address.
I didn't really do anything with the links in the email regardless, just to be sure. |
|
| jpark324 |
to justin
from: Cox Customer Safety to: xxxx@xxxx.com date: Mon, Jun 15, 2015 at 11:21 PM subject: [6.15.2015 25422129] Compromised Computer Notification from Cox Communications mailed-by: cox.net Dear Subscriber, Cox has identified that one or more of the computers behind your cable modem are likely infected with the Zeus Trojan/bot, also known as Zbot. While this malicious software is not new, it still poses a great risk to your computer and files that reside on your hard drive. Zeus malware uses keylogging in order to access user names and passwords and infected over 13 million computers worldwide. We recommend you take the following action: 1. Visit the Microsoft or Symantec website, download and run the FREE removal tool. The web addresses are: » www.microsoft.com/securi ··· scanner/» www.symantec.com/securit ··· -1402-99These tools does a great job of finding and cleaning many types of malicious software that may reside on your systems and will specifically target Zeus. After running the free Microsoft removal tool, if you already have security software installed on your system: 2) Follow your security software's instructions to download the latest updates (also known as "virus definitions") 3) When the new definitions have been loaded, perform a full virus scan on your system. If you do not already have security software on your computer, we recommend the Cox Security Suite powered by McAfee, which is included at no extra charge with your service. To install the Cox Security Suite powered by McAfee: 1) Visit » myaccount.cox.net/ and click on Internet Tools 2) Log-in with your primary account User ID 3) Select the Security Suite link to download and install the software 4) When the install is complete, the program will automatically conduct a full scan If you have any questions regarding this matter, please call us at 800-753-6085 and provide the reference number provided in the subject of this email. If you would like additional information on the Zeus botnet we recommend these articles: » www.us-cert.gov/ncas/ale ··· A14-150A» www.eweek.com/c/a/Securi ··· -544534/» www.computerworld.com/s/ ··· _malwareRegards, Cox Customer Safety |
|
justin..needs sleep Mod join:1999-05-28 2031 |
justin
Mod
2015-Jun-18 12:46 am
If it is a scam, where is the bad link? |
|
| |
No clue. That's why I was confused when 4 different up to date scanners came out clean. |
|
| |
Danniegurl
Anon
2015-Jun-18 4:08 am
I too was confused as to how it's not them. All the sites seem legit and my gma's scans came up clean too. No idea, but both someone on the phone and via email report said the same thing it's a scam email and it's not theirs. I do wonder if there is a way to have their email show up and not the actual spoof email? No idea. But I also noticed that when cox emails me I get a banner and more of a embedded email with their logos and such and this email was in a type writer font and had no banners or logos so that is questionable. Just thought I'd pass it along. Would be interesting if those who got the email also called cox and see what they say. |
|
BryanInPHX Premium Member join:2001-03-06 Phoenix, AZ |
None of you have posted the email headers yet, that would most likely tell you. Remove your email address and IP address before posting: » kb.iu.edu/d/adix |
|
| |
Danniegurl
Anon
2015-Jun-18 3:04 pm
What everyone has posted is EXECTLY THE EMAIL. It states it is from Cox Customer Safety and comes from abuse@cox.net The wording in the email was posted in the first post and once again later down when someone asked. it is typed in a non html email. It's just a typewriter looking font. No graphics nothing. |
|
| Danniegurl |
Danniegurl
Anon
2015-Jun-18 3:33 pm
 The email |
This is what it looks like |
|
justin..needs sleep Mod join:1999-05-28 2031 Billion BiPAC 7800N Apple AirPort Extreme (2011)
|
to Danniegurl
yes but please refer to that tiny link posted on how to get (your mail client) to show full headers
A mail saying "hi!" hss about half a page of hesder info that is hidden by default. The header is like the envelope, you guys keep posting the letter inside. Your mail program has the full header available. You just have to click to reveal it. |
|
| |
to Danniegurl

looks like you're using webmail.. open email click options view source
copy, redact, pasta.
|
|
| |
to jpark324
I have gotten an email similar to this (used to be browser hijacking alert instead), but for the ZeroAccess Virus.
After calling in, and SEVERAL scans (MSE, AVG, McAfee removal tool, Symmantec removal tool, ESET Online Scanner, etc), I would take the email with a grain of salt.
When I called, they said it was just an automated tool that can sometimes pick up lot of false flags, and that if I have run all those tools, then it could just be the system flagging you wrong. Also, they said if you torrent, that could be the issue too. |
|
| |
to Danniegurl
Among other things, the header includes timestamps, and originating server hostname or IP.
The "from" field is just information telling you what address to reply to. Anybody can easily change this information to say whatever they want.
Think of it like writing a letter to somebody, and writing a different from address on the upper left side of the envelope, because you want the person's reply letter (and/or returned mail) to go there instead of where you sent it from. Exact same concept, and it doesn't at all mean that the person you sent it to owns that actual e-mail address.
The e-mail however, while not showing you the true source email account (there may very well be no source account, which is acceptable per the standard) will show you which server originated the message. If it's not a Cox owned server, then chances are good that Cox didn't send it.
Cox may very well have sent it, but only the header information can confirm that. If the origin server isn't Cox owned, that doesn't necessarily mean that it wasn't sent on behalf of Cox, but somebody who works for Cox could themselves say whether or not they sent it.
However without the header information, your guess is as good as anybody else's. |
|
| |
Danniegurl
Anon
2015-Jun-18 9:05 pm
Not sure where my other post went or if it's still being mod'd but I am on an iPad which makes me unable to do that. I'll try to get on the computer though. |
|
| Danniegurl |
Danniegurl
Anon
2015-Jun-18 9:21 pm
Ok is this is?
Content-Type: text/plain Return-Path: Received: from eastrmimpo210 ([68.230.241.225]) by eastrmfepo102.cox.net (InterMail vM.8.01.05.15 201-2260-151-145-20131218) with ESMTP id for ; Tue, 16 Jun 2015 20:15:39 -0400 Received: from dukecautil01.mgt.cox.net ([172.18.18.217]) by eastrmimpo210 with cox id hCFf1q00S4h0NJL01CFfzt; Tue, 16 Jun 2015 20:15:39 -0400 Authentication-Results: cox.net; none Received: by dukecautil01.mgt.cox.net (Postfix, from userid 100) id E4F9B40001A1; Tue, 16 Jun 2015 20:15:39 -0400 (EDT) Message-ID: X-Auto-Response-Suppress: AutoReply X-Loop: Cox Customer Safety From: Cox Customer Safety
Subject: [6.16.2015 25431439] Compromised Computer Notification from Cox Communications Date: Tue, 16 Jun 2015 20:15:39 -0400 (EDT) |
|
justin..needs sleep Mod join:1999-05-28 2031 |
justin
Mod
2015-Jun-18 9:27 pm
It looks like a legit email from Cox, as suggested by the lack of any links in the email that would misdirect the recipient.
So I suspect that one part of Cox does not know what the other part of Cox is doing. |
|
Fubar join:2015-01-27 Phoenix, AZ |
to jpark324
Do you have a router?
If not do you shut your PC off for extended periods?
Maybe you got a New IP that showed infected by someone else? |
|
| |
to jpark324
I got one of these as well. False alarm here too. |
|