5 Replies Latest reply on Jan 26, 2010 11:08 PM by BMann

    Malicious IP attack after 2 weeks of DAT file update problems

      Hello:

       

      PLEASE HELP.

       

      I hope this is the correct board for this new thread: 3 attacks by a malicious IP were blocked today (not by McAfee but by my other standalone A/M app).

       

      I was one of many home users affected by the recent McAfee DAT file update server "problems" that began on Jan 7 and may only have been resolved yesterday.

       

      During this time, our computers did not always have the most current DAT files, and they were constantly accessing the internet via IE to access the download servers for updates.

       

      As an added precaution during this time, in addition to the OEM McAfee, I installed MBAM Pro 1.44 (Malwarebytes Anti-Malware) several days ago, as suggested by several forum members and a moderator.

       

      Today, upon booting up the system when I returned from work, I got a system tray popup that MBAM had blocked a malicious IP: 69.64.155.13.

      The malicious content of this IP has been confirmed by the tech support personnel at Malwarebytes.

      I was advised to have my computer fully checked for infections.

       

      Background:

      1) Since I purchased this computer, McAfee has NEVER ever detected a single infection (except 1 FP months and months ago): I scan EVERY DAY and have never picked up a thing.

      2) Daily scans with Counterspy 3.1 (daily quick, weekly deep) have also always been clean (including last night's quick scan).

      3) Several quick scans with MBAM Pro (and 1 deep scan) have all be clean, as well, including a quick scan run AFTER the IP block.

      4) My OS and browsers and all apps are always fully patched.

      5) I always use FireFox with a number of privacy/security extensions, rather than IE as my preferred browser.

      6) My IE security was set at med-high until early this week, when the Aurora incident began, at which time I increased it to HIGH, while waiting to install today's patch.

      7) I am a VERY safe computer user, and do not visit questionable web sites, use P2P software, games, or other suspect software, or do anything else to compromise my system

      8) In addition to software, I am behind a hardware firewall (router).

      9) Although the computer seems to be stable, I did note 2 unusual events in the past 24 hours:  1) Upon d/l and install of yesterday's DAT file (5867) last evening, and again several hours later shortly after starting the system (which had been powered down b/c of local storms), for the first time ever I got the "red X"/not protected error message in the GUI, requiring me to "fix the problem". This had never EVER happened to me before and now it happened twice in ~ 6 hours without explanation.  and 2) inexplicably this AM, I noticed that my screensaver did not start at the correct time - - when I checked the CP, the setting was "1093 minutes" (when it was supposed to be 10); I reset it and it seems to be working properly, but this has never happened before.

       

      Experience has taught me that coincidences do not occur with computers.

       

      The only "unusual" thing to have happened recently is the McAfee "server problem" that lasted intermittently for nearly 2 weeks, during which time the computer repeatedly accessed the internet via IE8 in order to repeatedly download DAT files countless times over many days.

       

      Given the AURORA situation and the severe "server problems" with McAfee, I can only surmise that these events are somehow related.

       

      WELL, NOW I need to start the whole process of having my computer checked for infections that McAfee has missed.

      Moreover, I would not have known, had I not installed the standalone app that detected a problem McAfee missed.

       

      Even under the best scenario (no infection), I will now be spending countless more hours on this problem.

       

      Can someone please advise as to how to proceed with the "malware investigation/removal process"????

       

      What additional standalone AV/AM might I also employ?


      How do I proceed with McAfee/AVERT?

       

      I am mentally and physically exhausted by the events of the past 2 weeks trying to deal with the server problems.  The lost productivity has been enormous, and I just don't know how I can deal with this potentially disastrous new development.

       

      I am about to start with sequential deep scans using McAfee, MBAM and Counterspy.

       

      Please help!

       

      Thank you,

       

      MM

       

       

      Message was edited by: MoxieMomma on 1/21/10 10:05:16 PM CST
        • 1. Re: Malicious IP attack after 2 weeks of DAT file update problems

          >Can someone please advise as to how to proceed with the "malware investigation/removal process"????

           

          Hello,

           

          If you have any suspicious files, you can submit them for investigation here:

           

          https://www.webimmune.net/

           

          Malicious IP attacks can be directed even at the best protected computer, it's completely normal to see them blocked in firewall logs.

           

          If you are worried that you were forced to use IE before it was patched for Aurora, it may be worth it to scan your computer with AuroraStinger (special Aurora related tool from Mcafee), available here: http://vil.nai.com/vil/averttools.aspx

           

          Regards,

          Irene

           

           

          Message was edited by: imikhlin on 22/01/10 12:02:29 CST
          • 2. Re: Malicious IP attack after 2 weeks of DAT file update problems

            imikhlin wrote:

             

            >Can someone please advise as to how to proceed with the "malware investigation/removal process"????

             

            Hello,

             

            If you have any suspicious files, you can submit them for investigation here:

             

            https://www.webimmune.net/

             

            Malicious IP attacks can be directed even at the best protected computer, it's completely normal to see them blocked in firewall logs.

             

            If you are worried that you were forced to use IE before it was patched for Aurora, it may be worth it to scan your computer with AuroraStinger (special Aurora related tool from Mcafee), available here: http://vil.nai.com/vil/averttools.aspx

             

            Regards,

            Irene

             

             

            Message was edited by: imikhlin on 22/01/10 12:02:29 CST

            Hello, Irene:

             

            Thanks for writing.

             

            More info for you:

             

            Since last night, I have done the following:

            1) Installed an additional standalone AV/AM (SuperAntiSpyware Pro).

            2) Run deep scans with all 4 security apps: McAfee, Counterspy, MBAM Pro and SAS Pro --- all were clean, as of this AM when I powered off the system to leave for work.

            3) Installed the MSIE patch (actually, that was done as soon as it was available yesterday, of course).

            4) Monitored updates for all security apps and logs of events.

            5) Run an additional SAS and MBAM quick scan or two between early AM and midday today - clean.

             

            I thought I was out of the woods, b/c there were no more IP blocks after the 1 episode (3 attempts) yesterday.

             

            HOWEVER,  here is the BAD news.

             

            MBAM just now blocked the same IP again (3 times).

            Most interesting and distressing -- I can now "reproduce" the conditions.

             

            The first time this happened was yesterday afternoon, when I booted up the computer in late afternoon, the time of day that McAfee consumer DAT updates are available.

            The attack occurred at the time McAfee SC updater was checking for daily DAT file updates - never having had a problem with this before yesterday.

            It's not a system start-up event, b/c when I rebooted last night (after installing DAT 5868 a few hours earlier) to finish installing the MSIE patch, there was no attack.

             

            JUST NOW, TODAY, the sequence of events was identical to the first attack.

            I returned from work, powered up the computer and started MBAM active protection (as soon as McAfee had loaded in the system tray), and as soon as McAfee updater went out to the server to check for updates (IOW within seconds of the popup alert that DAT updates were available), BANG! IP attack. Same IP. Successfully blocked again, but only b/c I had MBAM active protection running in time.  AND, missed AGAIN by McAfee SC.

             

            So, this just started yesterday and has only occurred (twice now in 2 days) after a reboot AND when McAfee SC is connecting to internet to update servers via IE for DAT files.  It did not occur when I rebooted last night between McAfee updates.

             

            I myself do NOT use IE for web browsing.

            McAfee SC DOES.

            Moreover, the clueless McAfee live chat TS agent on Wed night DID use IE8 during his screen share session, BEFORE the MS patch, despite my telling him NOT to.

             

             

            So, to sum up, here is what I know.

            I am not a power user, so I can only describe what I observe bc I do not have the technical expertise to be more specific.

             

            A. The system was entirely clean and not under attack at any time prior to the McAfee "consumer update server issue" that started on Jan 7 and was only resolved yesterday: McAfee SC has NEVER EVER detected a single infection or important event for as long as I've had the computer.

            B. Over the 2-week period, McAfee SC was in a nearly "constant" state of updating; although on my HSI connection, it was not as prolonged as on dial-up, there were countless "updates" and "downdates" from the servers a million times a day for nearly 2 weeks.  Each time, McAfee was accessing the internet to reach the servers.

            C. Despite my warning him NOT to do so, the McAfee TS agent intentionally used IE 2 nights ago (before the patch) for no justifiable reason during his remote assist session, even though I told him to use FF.

            D. MSIE was completely vulnerable during this period (despite active DEP and the best security settings I could configure on this system) to the AURORA exploit.

            E. I have been able to reproduce the problem by restarting the system in the late afternoon at the time of day when the latest DAT file is published.  Hence when the McAfee updater phones home at startup to look for updates, BANG, I get attacked.

            F. At least 1 other reboot at a time of day when updates were NOT available did not result in an attack, and there were no other attacks at times when no applications were accessing the internet.

            G. The McAfee FW did NOT detect or log any of these events, nor did it block them.

            H. Multiple deep scans with several programs (thus far) have been clean, but I have not yet installed and run HJT.

            I. I am a VERY careful and prudent computer user, do not use any P2P software or games, do not use IE for browsing and do not download or install questionable software.

             

            I am not a computer engineer, but I can connect the dots here.

             

            The only "unusual" occurrences in the recent time period that would have increased my system's vulnerability to inbound attack or infection directly or indirectly relate to the 2-weeks of abject h@ll we consumers have been experiencing b/c of McAfee's "server problem".  So, this must all be related.  The fact that McAfee FW didn't even detect, log or block these adverse events is VERY worrisome and infuriating.  Alas, I am too old and cynical to believe in coincidences.

             

            SO.........

             

            You mention that such attacks are "completely normal", but mine only started when a McAfee TS agent used MSIE before the Aurora patch and after 2 weeks of nearly constant IE use for DAT file updates.

            You mention the "stinger tool" (I recall a similar tool from days of Conficker (with which I was never infected)) -- I have no idea how to deploy it.

            You mention "submitting" files for analysis -- I have no idea how to do that.

             

            I really have no idea how to proceed and I am really beaten down and growing ever more concerned about an ongoing unresolved problem. I am now over my head with this.

             

            Under the circumstances, having invested countless hours and hours and hours working on these McAfee problems which were never "my fault" or a problem with my system (Ref #440297878, 441965056 and HOURS at the McAfee & other forums, scanning, researching, installing security software, scanning again), I would most sincerely appreciate more specific help from a Tier3 TS agent (with phone and screenshare capability) in North America.

             

            Is that possible???

             

            Please???

             

            Thanks,

             

            MM

             

             

            Message was edited by: MoxieMomma on 1/22/10 5:19:03 PM CST
            • 3. Re: Malicious IP attack after 2 weeks of DAT file update problems

              Hello,

               

              I've asked people who are more knowledgeable about blocked IP traffic than myself, and they confirm that it's not a sign that your PC is in any way compromised.

              Am I right in understanding that you've installed the MBAM tool that reports these attacks to you quite recently as well?

               

              I don't know how is your McAfee firewall is configured, maybe it's possible to see the same IPs in the logs there. What I'm saying is the fact you haven't seen these attacks reported before does not mean they were not happening before.

               

              As for Stinger, I'll try to be more specific: http://http://download.nai.com/products/mcafee-avert/aurora_stinger.exe

               

              Download this file.

              Save the file to your desktop and double click the file. You will now see a small window with some options. Please click on "Preferences".
              Under "Scan these targets" check both boxes
              Under "On virus detection" select "Delete" option
              Under "Heuristic network check for suspicious files" select "Medium" from the drop down box.
              Click "OK"
              Select "Scan Now"

               

              This will start scanning your computer for threats related to Aurora. Hope that helps.

               

              Irene

              • 4. Re: Malicious IP attack after 2 weeks of DAT file update problems

                Hi, Irene:

                 

                Sorry for the late reply.

                I had no electricity for 24 hours, so I was REALLY off the grid yesterday.

                Quite refreshing (esp since I had no heat, either).

                 

                Anyway,

                 

                Re: IP intrusions - yes, I had installed MBAM only 7-10 days earlier. However, there had been no malicious IP attacks following the install until this happened.  The first time (Thur), I wrote it off as a one-time event. When it happened the next say (same time - afternoon, same circumstances - booting up system/McAfee phoning home for updates/DAT file available, and same malicious IP) it seemed more like a reproducible pattern than a coincidence. Fortunately, it has not happened for a couple of days, so, perhaps that is the end of that. You're likely correct, these attacks were probably always happening. Disconcerting, though, is the fact that none were ever detected or blocked by McAfee. Had it not been for MBAM, I wouldn't have known and - more importantly - my computer could well have become infected.

                 

                Re: Stinger -- after a number of deep scans with 4 different security apps (McAfee, Counterspy, MBAM and SAS) all came up clean repeatedly, and after my GTA session with the VRT on Friday (or was it Saturday?), I'm pretty comfortable that I'm not infected.  That said, is there any harm to running the Stinger tool?  (The warning on the webpage about permanently screwing up one's system by running it scared me off.)  I think I ran it "back when" during the Conficker adventure, but I often feel "if it ain't broke, don't fix it". If there's no real downside to running it, then should I?

                 

                Thanks,

                 

                 

                MM

                 

                imikhlin wrote:

                 

                Hello,

                 

                I've asked people who are more knowledgeable about blocked IP traffic than myself, and they confirm that it's not a sign that your PC is in any way compromised.

                Am I right in understanding that you've installed the MBAM tool that reports these attacks to you quite recently as well?

                 

                I don't know how is your McAfee firewall is configured, maybe it's possible to see the same IPs in the logs there. What I'm saying is the fact you haven't seen these attacks reported before does not mean they were not happening before.

                 

                As for Stinger, I'll try to be more specific: http://http://download.nai.com/products/mcafee-avert/aurora_stinger.exe

                 

                Download this file.

                Save the file to your desktop and double click the file. You will now see a small window with some options. Please click on "Preferences".
                Under "Scan these targets" check both boxes
                Under "On virus detection" select "Delete" option
                Under "Heuristic network check for suspicious files" select "Medium" from the drop down box.
                Click "OK"
                Select "Scan Now"

                 

                This will start scanning your computer for threats related to Aurora. Hope that helps.

                 

                Irene

                • 5. Re: Malicious IP attack after 2 weeks of DAT file update problems
                  BMann

                  No problems running the Stinger MM.  We do add new technology and drivers that aren't in the released dat files yet so there can be things that it will catch that the released dats may not yet.

                   

                  Thanks

                   

                  Brian