[8.17.2015 26289827] Compromised Computer Notification from Cox Communications

I called 800-753-6085 and was told by the representative "Ben" that he does not have access to the log that shows which IP address and port number that triggered the alert.  He said that information was "above his pay-grade" and all he knew was "they were somewhere in Atlanta".

So, if we are still assuming the alert sent by Cox is valid, then why are they withholding valuable information that could help me isolate which computer on my home network is compromised?

Sounds like it's time to file a BBB complaint - that always gets the Cox executives excited.

As previously stated, I am looking for the EXTERNAL IP address and port number that triggered the alert by Cox.  This will enable me to search and/or actively monitor for that IP address in my router connection log and local machine network connections logs to isolate the affected device.  Why is a simple request so hard for Cox to fulfill?  I already know the answer is rampant incompetence - but that should be no excuse.

@Vegas

If you are behind a router, and if that router has Network Address Translation (NAT) enabled, then *every single device* behind that router will show the same "external" IP address.

Beyond that, you can find out your own "external" (internet-facing) IP address by simply going into your router's "Status" page and looking at what it has for the IP.

OR

...you can go into your cable modem's page, usually at 192.168.100.1, and if your modem is not one that has limited information pages, you can also find the external IP there.

Problem is though that EVERY device you use will have that same IP.  Your router does the job of handling what is behind the router.  Your router sees those, as they are on a private network, and private network information does not route across the internet.

Hey guys, I just got out the hospital because this thread gave me cancer.  Luckily now I'm cured because the Cox "Safety Team" followed up with me directly and provided me with the hostname of the external address that triggered the alert.

@BrianS - I appreciate the effort you put into that post.  While the information you wrote is correct, it has nothing to do with what I was asking for.  I was looking for the external IP (in this case it was a website, noted below) that was accessed from my home network that caused Cox to send me the alert. 

And now without further ado - here is the reply for Cox:

Dear Sir or Madam,

A device at your location was seen connecting to www.bigantsoft.com on 8/17/2015 @ 05:24:36 UTC which is a know command and control server for the Zeus or "Zbot" virus.   You may want to verify that your wireless network is secured and that there is no unauthorized access to your network at your location.  Additionally if you had any guests connect to your network on this date they could also be infected as well.  Also please be aware that their is a variant of this virus for both the android and possibly the ios smartphones and tablets as well.

Sincerely,
The Cox Communications Customer Safety Team

Well, I hope you have the logs on your side.

That said though, when you ask for an "external IP", most people will, rightfully, believe you to be asking for the specific IP address of the specific device on your side, within your own network.  So long as IPv4 with NAT is used, if it is a multi-device network behind the NAT device, that information is simply not obtainable.  IPv6 will allow that, as it uses the MAC as part of the address, but that's neither here nor there with respect to this.

If you want to make yourself clear as to what you are asking for, which is the DESTINATION address (use of "external" causes confusion), then in the future, you might consider asking:

How did you determine that a device on my network might be compromised?  Did it visit a particular website or contact a particular IP address?  If so, what was that web site or IP that one of my machines contacted?

Bear in mind though that Zeus runs through quite a few different web site names / IPs so as to avoid easy detection.  That's why I hope you still have the logs going back as far as you need them.

Well, in a fun bit of uncanny coincidence, my account got the same warning just after I posted earlier.

I called in and they too told me "bigantsoft", but this was after I read to them Vegas50000 post, so I am a bit less-than-convinced with that.

I have found out that another user in my house has gone "a-clicking" on some mail messages.  The most suspicious is one that said the account has exceeded it's mail account space, and to click something for a free 20GB.  I used a remote page source code viewer and that one seems to attempt to run a javascript file on page load in a try/catch block, with the catch just being catch(e), so apparently swallowing any error and displaying nothing to the end-user.  There was another one, or multiples, but the user is not sure.  The user is also not sure what they clicked and when they clicked it.  Yep, a tech support nightmare.  

I have advised said user to not click on anything else, be that from friends, family, or even if it is from God, until running it by me. 

I called the 800# and was told that if further traffic is seen, additional emails will be sent.

For the moment though, I have no idea what, if anything, is compromised.  Scans are coming up clean.

Use Procmon.exe to monitor all your network traffic on your local machine - it's part of the Sysinternals Suite from Microsoft.  Download here: https://technet.microsoft.com/en-us/sysinternals/bb842062.  You can filter out all the known and trusted exe's and watch in real time as well.

vegas50000 said:

Use Procmon.exe to monitor all your network traffic on your local machine - it's part of the Sysinternals Suite from Microsoft.  Download here: https://technet.microsoft.com/en-us/sysinternals/bb842062.  You can filter out all the known and trusted exe's and watch in real time as well.

TCPView would also be helpful.

I am almost sure this came from the "get 20GB" mail scam.  I have no idea why the user clicked on it.  So many things were obviously wrong, but they are not as careful as they should be.  It went to a thompsonbros URL, supposedly in Australia.  The mail was displayed as being from a "no-reply@microsofts.com".

This is the text of the mail:

Edit: removed text because it had an HTML table with an embedded link to the phishing thompsonbros site.

********************************************

The user claims they did not do anything but click on the link.  They stopped when they got to the link, but I am showing that McAfee Site Advisor should have popped up a warning at around the same time, per the browser history (Firefox 40.0.2)

What I am trying to figure out is if by simply loading the page caused something in javascript to get executed successfully or not.

OK.  So I've spent hours upon hours on this, and am coming up with nothing.

What I *WILL* gripe about though is that somehow over the past couple of weeks, NOTHING was being routed to the online SPAM folder in Webmail.  I would guess that happened around the same time I got prompted *BY COX* to "update account information" such as security questions and whatnot.  It was a legit thing, as it happened when I clicked to sign in to "MyAccount" here, so it WAS from Cox.  That whole fiasco forced me to not only update the security questions, but also update the password.  Not only that, I also had to go into Thunderbird and change POP and SMTP settings to append @cox.net after the user name, as just the plain name was no longer being accepted.

Why does this matter?  Well, I can't prove this was you all at Cox or if I accidentally did something, but when I checked and saw nothing going into the spam folder, I checked the settings and the darn thing had NO OPTION SELECTED! 

I re-selected the typical default (deliver to online spam folder), so it is back on now, but, and here's the part I can't prove, again, but I can indeed speculate that the phishing mail that I got, which made it all the way through to Thunderbird, that the user went clicking on and initiated this whole up-all-night and possibly for as much as 48 hours event:

****** MIGHT HAVE BEEN STOPPED BY THE SPAM FILTER IF THE #%$! THING HADN'T BEEN TURNED OFF!!!!****

ChrisL said:
@BrianS

If you were getting warnings about Zeus it's worth noting that's a pretty nasty key logger.  You may want to go back to your webmail from a known safe computer and check all of your settings to see if anything else was compromised.  It's entirely possible somebody got into your webmail account and was up to no good.

Chris,

As for the webmail spam folder, not sure what happened there, but I suspect the mail had a good chance of being considered spam / phish.

I am 99% sure that the activity causing the alert generation (just 1, not multiple) was the web site in the phish mail, considering I have viewed it through VirusTotal www.virustotal.com

That is showing multiple detections as malware/phishing.  The code for the script in the site references a "westiniedsho.us", and I can track that back to a "former" C&C https://zeustracker.abuse.ch/monitor.php?host=westiniedsho.us

I've done all kinds of scans and have not found anything.  I've got Comodo firewall monitoring outbound UDP to any site, and so far, all that is showing up is normal DNS traffic and Link-Local Multicast Name Resolution / bonjour traffic.

Do you all have any access to a system where you can actually load up the site that was in the mail and see what happens without risk, like within a honeypot system?

So tonight I got another email from Cox.  Is this just a ploy to sell AV software?

Here is what COX said previously:

A device at your location was seen connecting to www.bigantsoft.com on 8/17/2015 @ 05:24:36 UTC which is a know command and control server for the Zeus or "Zbot" virus. You may want to verify that your wireless network is secured and that there is no unauthorized access to your network at your location. Additionally if you had any guests connect to your network on this date they could also be infected as well. Also please be aware that their is a variant of this virus for both the android and possibly the ios smartphones and tablets as well.

---

Hello

Your IP reached out to the control site:

70.189.244.191 - www.bigantsoft.com - 2015-08-19

Thank you

---

Hello

The site, itself is not the malware, it’s where the Command and Control is hosted.

A Virus Total scan on the site is not likely going to reveal anything. Something on your network made a DNS query and a connection to the command and control for Zeus hosted on the domain bigantsoft.com.

Thank you

---