3

I received alerts (email & browser injection) from my ISP about a Zbot infection behind my modem.

I ran Microsoft's malicious software removal tool, as well as AVG's Zbot remover on both my Windows PCs and they found nothing. I also did a full scan with ESET, my normal anti-virus.

Is this a false positive? Is there anything else I should do?

Edit: Message From My ISP: https://pastebin.com/fw5AmHbX

Edit2: I do have OSX and Linux machines here as well, but I believe Zbot is only a Windows infection.

Brack
  • 455
  • 1
  • 4
  • 6
  • While you did not provide the exact message send by the ISP such messages usually include more details how to deal with such a problem. Did you follow all these instructions *for all systems* behind the modem? This includes any systems you own but also systems owned by family or friends which share the same modem. If you did not find anything ask your ISP for more details - it is impossible to say with only this information if this a false positive or not but your ISP might have more information. – Steffen Ullrich Jul 24 '17 at 20:48
  • I added the text of the message from my ISP. – Brack Jul 24 '17 at 22:14
  • It sounds like the ISP noticed some suspicious activity and the closest thing they could relate it to is the Zbot – Henry F Jul 25 '17 at 04:20

4 Answers4

3

First, you should verify that the email from your ISP is valid (i.e. came from your ISP). I'm not sure why anyone would warn you of a possible infection for malicious intent but, paranoia is not always the worst thing in the world when it comes to security. Call your ISP. Ask them how they caught this.

Unless you explicitly know what you are looking for (socket calls, heatbeats, etc.) it is going to be hard to verify. It's always better to be safe than sorry. Again, call your ISP and see how they fingerprinted this and from there you may be able to narrow down the point of infection.

If it is in fact Zbot then it can be VERY difficult to detect and remove with standard AV tools or even running a script called tron script. You can try your best with the tools at your disposal, and even run the tron script to see if it picks anything up. But, this is one of the prime delivery methods for ransomware, botnets, etc. And as such, it is very well hidden and written.

Here's where the story gets sad, you probably need to nuke it from orbit. I know, this option sucks.. alot.. But, most if not all of us run into this from time to time. Especially in the research realm.

Joshua Faust
  • 638
  • 3
  • 8
0

You should definitely contact your ISP and ask for further advice and inquire about their assessment.

If you are actually infected by this kind of advanced malware you should probably just reinstall your windows. Some advice on detecting if you are infected can be found here or here (both links from Wikipedia). However, since this is not a perfectly accurate process you should really get in touch with your ISP.

If there is a chance that you really are infected don't bother trying to remove the malware, just reinstall.

Elias
  • 1,935
  • 1
  • 10
  • 17
  • Notice that "reinstall windows" has ceased to be "safe" a long time ago. You need to get rid of basically all your data to avoid the risk of reinfection. That's what Joshua meant with "nuke it from orbit". – Marcus Müller Jul 25 '17 at 03:08
  • Indeed, and depending on your threat model the BIOS could be infected, too. I'm not sure what the correct advice is here. Reinstalling Windows seems the only practical thing to me. – Elias Jul 25 '17 at 08:25
0

Excuse the slightly philosophical answer, but:

Since you can't travel back in time to get a full view of what your network did at the time of detection, and since you don't have a sufficiently complete recording of its interactions with the internet at that time, you logically can't disprove the correctness of that alarm.

So, to answer the title of your question:

You can't know. With these kind of things, you normally rather err on the side of safety and presume the alarm is justified.

Marcus Müller
  • 5,863
  • 2
  • 17
  • 28
-1

Determining if it is a false positive can be tricky. Do you have access to the binary of the file in question?

If possible, you can grab a binary of the "infection" and upload it on VirusTotal and see how many AntiVirus solutions detect it as malware.

Alternatively, you can obtain an MD5 hash of the binary and submit it to VirusTotal to see if has a history of being detected as malware.

Another more advanced way is to actually reverse engineer the binary in a disassembler or debugger to study the behavior of the binary. You may also execute it in a sandbox and use process explorer utilities to see what kind of changes it tries to make in the system and what child processes it spawns.

whoami
  • 1,366
  • 9
  • 17
  • Downvoted because it is clear from the question that the OP only has the claim by the ISP and that AV software did not find anything suspicious. In this case it is highly unlikely that the OP knows which binary might have caused the warning from the ISP, i.e. there is no *binary in question* but only the warning about malicious behavior of some system behind the modem. – Steffen Ullrich Jul 24 '17 at 20:43
  • Plus, in the recent years, file hash methods have proven to be increasingly futile, due to malware getting commonly smart enough to just modify itself enough to evade such signature based identification whilst still retaining functionality. – Marcus Müller Jul 25 '17 at 03:14
  • Not a good reason to down-vote – Henry F Jul 25 '17 at 04:19