dslreports logo
Search similar:


uniqs
31941
jpark324
join:2015-06-16

jpark324

Member

[VA] False Alarm email about Zeus?

I've received email from Cox saying the following:
[6.15.2015 25422129] Compromised Computer Notification from Cox Communications

Dear Subscriber,

Cox has identified that one or more of the computers behind your cable modem are likely infected with the Zeus Trojan/bot, also known as Zbot.
While this malicious software is not new, it still poses a great risk to your computer and files that reside on your hard drive.

Zeus malware uses keylogging in order to access user names and passwords and infected over 13 million computers worldwide.

We recommend you take the following action:

1. Visit the Microsoft or Symantec website, download and run the FREE removal tool. The web addresses are:
»www.microsoft.com/securi ··· scanner/

»www.symantec.com/securit ··· -1402-99

These tools does a great job of finding and cleaning many types of malicious software that may reside on your systems and will specifically target Zeus.

After running the free Microsoft removal tool, if you already have security software installed on your system:
2) Follow your security software's instructions to download the latest updates (also known as "virus definitions")
3) When the new definitions have been loaded, perform a full virus scan on your system.

If you do not already have security software on your computer, we recommend the Cox Security Suite powered by McAfee, which is included at no extra charge with your service.

To install the Cox Security Suite powered by McAfee:
1) Visit »myaccount.cox.net/ and click on Internet Tools
2) Log-in with your primary account User ID
3) Select the Security Suite link to download and install the software
4) When the install is complete, the program will automatically conduct a full scan

If you have any questions regarding this matter, please call us at 800-753-6085 and provide the reference number provided in the subject of this email.

If you would like additional information on the Zeus botnet we recommend these articles:

»www.us-cert.gov/ncas/ale ··· A14-150A

»www.eweek.com/c/a/Securi ··· -544534/

»www.computerworld.com/s/ ··· _malware

Regards,

Cox Customer Safety
I've scanned with MSE, Microsoft Safety Scanner, and Malwarebytes with clean result.
Could this be a false alarm?

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin

Mod

Zbot can be detected by its attempts to contact a C&C server at a specific address or a DNS lookup of a specific host.
quote:
Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address 87.255.51.229 or host name benznflvsgttdydqdguwcem.info on any port with a network sniffer such as wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to 87.255.51.229 or benznflvsgttdydqdguwcem.info. See Advanced Techniques for more detail on how to use wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.
I imagine that if this letter is accurate, they logged this from your IP at some point and then associated the IP with your account at the time of the log.

Since you can get various tools to specifically scan for Zbot/Zeus and then find if they come up empty, you can work out whether or not your PC currently has an issue.

BryanInPHX
Premium Member
join:2001-03-06
Phoenix, AZ

BryanInPHX to jpark324

Premium Member

to jpark324
Try running ESET Online Scanner in Safe Mode w/ Networking
It catches things others don't in my experience.

SoonerAl
MVM
join:2002-07-23
Norman, OK

SoonerAl

MVM

said by BryanInPHX:

Try running ESET Online Scanner in Safe Mode w/ Networking
It catches things others don't in my experience.

+1 for running the ESET Online Scanner...
jpark324
join:2015-06-16

jpark324 to BryanInPHX

Member

to BryanInPHX
ESET Online Scanner showed clean

odog
Minister of internet doohickies
Premium Member
join:2001-08-05
Atlanta, GA

odog

Premium Member

How many computers do you have?
jpark324
join:2015-06-16

1 edit

jpark324

Member

1
hmm AVG Virus Remover for Win32/Zbot also showed nothing
Fubar
join:2015-01-27
Phoenix, AZ

Fubar to jpark324

Member

to jpark324
Anyone borrow your Wifi lately?

Danniegurl
@cox.net

Danniegurl

Anon

So my grandparents also got this email, my grandfather reported it to cox and they told him it was a scam email.....but it was sent from abuse@cox.net so I'm not entirely sure how this is false? My grandma downloaded the tool and I'm trying to figure out if it's a virus or not.

justin
..needs sleep
Mod
join:1999-05-28
2031

justin to jpark324

Mod

to jpark324
Can you post full headers from the email, minus your email address if it appears there?
jpark324
join:2015-06-16

jpark324

Member

From: Cox Customer Safety

subject: [6.15.2015 25422129] Compromised Computer Notification from Cox Communications

mailed-by: cox.net

justin
..needs sleep
Mod
join:1999-05-28
2031

justin

Mod

No the full headers.
The entire chunk, minus your email or IP address if it appears.

Danniegurl
@cox.net

Danniegurl

Anon

Ok, so my grandmother also called cox and confirmed this was NOT an email sent by them.
jpark324
join:2015-06-16

jpark324

Member

That'a relief, but isn't abuse@cox.net theirs?
Also the links didn't seem like it was leading to fake address.

I didn't really do anything with the links in the email regardless, just to be sure.
jpark324

jpark324 to justin

Member

to justin
from: Cox Customer Safety
to: xxxx@xxxx.com
date: Mon, Jun 15, 2015 at 11:21 PM
subject: [6.15.2015 25422129] Compromised Computer Notification from Cox Communications
mailed-by: cox.net

Dear Subscriber,

Cox has identified that one or more of the computers behind your cable modem are likely infected with the Zeus Trojan/bot, also known as Zbot.
While this malicious software is not new, it still poses a great risk to your computer and files that reside on your hard drive.

Zeus malware uses keylogging in order to access user names and passwords and infected over 13 million computers worldwide.

We recommend you take the following action:

1. Visit the Microsoft or Symantec website, download and run the FREE removal tool. The web addresses are:
»www.microsoft.com/securi ··· scanner/

»www.symantec.com/securit ··· -1402-99

These tools does a great job of finding and cleaning many types of malicious software that may reside on your systems and will specifically target Zeus.

After running the free Microsoft removal tool, if you already have security software installed on your system:
2) Follow your security software's instructions to download the latest updates (also known as "virus definitions")
3) When the new definitions have been loaded, perform a full virus scan on your system.

If you do not already have security software on your computer, we recommend the Cox Security Suite powered by McAfee, which is included at no extra charge with your service.

To install the Cox Security Suite powered by McAfee:
1) Visit »myaccount.cox.net/ and click on Internet Tools
2) Log-in with your primary account User ID
3) Select the Security Suite link to download and install the software
4) When the install is complete, the program will automatically conduct a full scan

If you have any questions regarding this matter, please call us at 800-753-6085 and provide the reference number provided in the subject of this email.

If you would like additional information on the Zeus botnet we recommend these articles:

»www.us-cert.gov/ncas/ale ··· A14-150A

»www.eweek.com/c/a/Securi ··· -544534/

»www.computerworld.com/s/ ··· _malware

Regards,

Cox Customer Safety

justin
..needs sleep
Mod
join:1999-05-28
2031

justin

Mod

If it is a scam, where is the bad link?
jpark324
join:2015-06-16

jpark324

Member

No clue.
That's why I was confused when 4 different up to date scanners came out clean.

Danniegurl
@cox.net

Danniegurl

Anon

I too was confused as to how it's not them. All the sites seem legit and my gma's scans came up clean too. No idea, but both someone on the phone and via email report said the same thing it's a scam email and it's not theirs. I do wonder if there is a way to have their email show up and not the actual spoof email? No idea. But I also noticed that when cox emails me I get a banner and more of a embedded email with their logos and such and this email was in a type writer font and had no banners or logos so that is questionable. Just thought I'd pass it along. Would be interesting if those who got the email also called cox and see what they say.

BryanInPHX
Premium Member
join:2001-03-06
Phoenix, AZ

BryanInPHX

Premium Member

None of you have posted the email headers yet, that would most likely tell you.

Remove your email address and IP address before posting:
»kb.iu.edu/d/adix

Danniegurl
@cox.net

Danniegurl

Anon

What everyone has posted is EXECTLY THE EMAIL. It states it is from Cox Customer Safety and comes from abuse@cox.net
The wording in the email was posted in the first post and once again later down when someone asked. it is typed in a non html email. It's just a typewriter looking font. No graphics nothing.
Danniegurl

Danniegurl

Anon

Click for full size
The email
This is what it looks like

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin to Danniegurl

Mod

to Danniegurl
yes but please refer to that tiny link posted on how to get (your mail client) to show full headers

A mail saying "hi!" hss about half a page of hesder info that is hidden by default. The header is like the envelope, you guys keep posting the letter inside.
Your mail program has the full header available. You just have to click to reveal it.
nickphx
join:2009-10-29
Phoenix, AZ

nickphx to Danniegurl

Member

to Danniegurl


looks like you're using webmail..
open email
click options
view source

copy, redact, pasta.
whiteazn
join:2005-02-10
Henderson, NV

whiteazn to jpark324

Member

to jpark324
I have gotten an email similar to this (used to be browser hijacking alert instead), but for the ZeroAccess Virus.

After calling in, and SEVERAL scans (MSE, AVG, McAfee removal tool, Symmantec removal tool, ESET Online Scanner, etc), I would take the email with a grain of salt.

When I called, they said it was just an automated tool that can sometimes pick up lot of false flags, and that if I have run all those tools, then it could just be the system flagging you wrong. Also, they said if you torrent, that could be the issue too.
Rakeesh
join:2011-10-30
Phoenix, AZ

Rakeesh to Danniegurl

Member

to Danniegurl
Among other things, the header includes timestamps, and originating server hostname or IP.

The "from" field is just information telling you what address to reply to. Anybody can easily change this information to say whatever they want.

Think of it like writing a letter to somebody, and writing a different from address on the upper left side of the envelope, because you want the person's reply letter (and/or returned mail) to go there instead of where you sent it from. Exact same concept, and it doesn't at all mean that the person you sent it to owns that actual e-mail address.

The e-mail however, while not showing you the true source email account (there may very well be no source account, which is acceptable per the standard) will show you which server originated the message. If it's not a Cox owned server, then chances are good that Cox didn't send it.

Cox may very well have sent it, but only the header information can confirm that. If the origin server isn't Cox owned, that doesn't necessarily mean that it wasn't sent on behalf of Cox, but somebody who works for Cox could themselves say whether or not they sent it.

However without the header information, your guess is as good as anybody else's.

Danniegurl
@cox.net

Danniegurl

Anon

Not sure where my other post went or if it's still being mod'd but I am on an iPad which makes me unable to do that. I'll try to get on the computer though.
Danniegurl

Danniegurl

Anon

Ok is this is?

Content-Type: text/plain
Return-Path:
Received: from eastrmimpo210 ([68.230.241.225]) by eastrmfepo102.cox.net
(InterMail vM.8.01.05.15 201-2260-151-145-20131218) with ESMTP
id
for ; Tue, 16 Jun 2015 20:15:39 -0400
Received: from dukecautil01.mgt.cox.net ([172.18.18.217])
by eastrmimpo210 with cox
id hCFf1q00S4h0NJL01CFfzt; Tue, 16 Jun 2015 20:15:39 -0400
Authentication-Results: cox.net; none
Received: by dukecautil01.mgt.cox.net (Postfix, from userid 100)
id E4F9B40001A1; Tue, 16 Jun 2015 20:15:39 -0400 (EDT)
Message-ID:
X-Auto-Response-Suppress: AutoReply
X-Loop: Cox Customer Safety
From: Cox Customer Safety

Subject: [6.16.2015 25431439]
Compromised Computer Notification from Cox Communications
Date: Tue, 16 Jun 2015 20:15:39 -0400 (EDT)

justin
..needs sleep
Mod
join:1999-05-28
2031

justin

Mod

It looks like a legit email from Cox, as suggested by the lack of any links in the email that would misdirect the recipient.

So I suspect that one part of Cox does not know what the other part of Cox is doing.
Fubar
join:2015-01-27
Phoenix, AZ

Fubar to jpark324

Member

to jpark324
Do you have a router?

If not do you shut your PC off for extended periods?

Maybe you got a New IP that showed infected by someone else?
whosmatt
join:2005-02-28
San Diego, CA

whosmatt to jpark324

Member

to jpark324
I got one of these as well. False alarm here too.