Solved

Crypte Locker and Botnets and ATT

Posted on 2013-11-22
7
4,047 Views
Last Modified: 2013-12-03
Had a fight with Cryptolocker...client had to pay the ransom as no backups...

Next day I get this email from ATT....

So my question is this...
1.  Is this a legitimate ATT email...???
2.  I am assuming the botnet is coming from the laptop I was getting decrypted as the
time indicated in the email is when Crypto was de-crypting the data...
3.  So I am assuming that while Crypto was de-crypting they were also installing
a botnet...

My first post on this Crypto issue....
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Windows_7/Q_28297517.html

Appreciate any help, thoughts and ideas...
Thanks
Steve

Sent from
AT&T IISS Network Security [netsec@att.net]

(I have deleted my IP address in the email...but the IP address ATT states in the email is my correct IP)

Content-Type: multipart/alternative; boundary="boundary-696481"
Message-Id: <mailbox-5096-1385055410-432875@hades.sgi.int>
Date: Thu, 21 Nov 2013 12:36:50 -0500
MIME-Version: 1.0

--boundary-696481
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Important computer safety notice from AT&T Internet Services Security Center - Bot Traffic Detected

Site ID: 062284680
Primary Account Holder: AT&T Uverse customer

Dear AT&T Uverse customer (Primary Account Holder),

AT&T has received information indicating that a device using your Internet connection may be infected with malicious software.
Internet traffic consistent with an infection was observed at Wed,
20 Nov 2013 12:29:58 +0000 from the IP address 1xx.2xx.1xx.xx. Our records indicate that this IP address was assigned to you at this time.

The information indicates that your Internet connection was being used to provide DNS services to a zombie computer network, also known as a Botnet. Infection details:

Type: Ransomware
Source port: 55946
Destination IP: 87.xx.xx.229
Destination port: 80

Botnets are networks of compromised computers under the control of a hacker or group of hackers. Botnets are often used to conduct various attacks ranging from denial of service attacks on websites, to spamming, click fraud, and distribution of malicious software.

To address this problem we ask that you immediately take the following steps to secure your network:

  1. If your computer(s) are managed by an Information Technology
    (IT) group at your place of work, then contact them
    immediately.

  2. AT&T offers a free online scan tool PC Health Check that will
    scan for virus/spyware activity at https://pccheck.att.com/.

  3. If your computer(s) are personally owned, then update the
    security software on your system (follow the instructions on
    your vendor's website). You might also consider installing new
    security software such as AT&T Security Suite; see
    http://www.att.net/iss. (You must be logged in with the Master
    Account ID to download AT&T Security Suite).

  4. If you are an advanced user, then consider reimaging your
    computer(s) and installing the necessary software patches. If
    you prefer, this can be done by a third party such as AT&T
    Connect Tech; see https://remotesupport.att.com/index.aspx.
    AT&T Computer consultants trained to clean infected machines
    may also be located in your area.

  5. In all cases, please respond by forwarding this email to
    abuse@att.net with an acknowledgement of: ?I am taking steps to
    address this infection.? When we receive such an
    acknowledgment, we can maintain the high quality of service you
    expect from us. We welcome feedback on what removal tools or
    methods were used.

Although the activity is likely unintentional, it is still in violation of AT&T's Acceptable Use Policy. To review the AT&T Acceptable Use Policy, go to http://www.corp.att.com/aup.

Below are some additional sites you can visit for tools or
information:

  * AT&T PC Health Check: https://pccheck.att.com/

  * Microsoft Security Essentials:
    http://www.microsoft.com/security_essentials/

  * Microsoft Safety Scanner:
    http://www.microsoft.com/security/scanner/

  * OS X Gatekeeper: http://support.apple.com/kb/HT5290

We also recommend you run anti-spyware application, like Malwarebytes Anti-Malware or Spybot:

  * http://malwarebytes.org/mbam.php

  * http://www.safer-networking.org/en/index.html

Regards,

AT&T Internet Services Security Center


DISCLAIMER: The information above contains links to software by third-party vendors (hereafter, ?the Software?). AT&T is not responsible for support or assistance for any of the Software. If you need support or assistance with any of the Software, please contact the Software's vendor directly. AT&T is unable to provide a warranty or guarantee, either expressed or implied, for any of the Software. You will be responsible for your own system software and system security and not hold AT&T, its partners, agents or affiliates liable for any costs or damages whatsoever (including, without limitation, damages to access system, hardware and/or
software) to your computer as a result of installing or using any of the Software. You also understand that use of all hardware and/or software must comply with the AT&T Acceptable Use Policy.

Important Note: This email contains links to various websites. You may copy and paste the URL(s) into your browser rather than clicking directly on the link.


?2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy (Updated 06-29-13)

--boundary-696481
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

        <html>
            <head>
                <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"><title>Important computer safety notice from AT&amp;T Internet Services Security Center - Bot Traffic Detected</title>
                <style></style>
            </head>
        <table bgcolor="#ededed" width="100%" border="0">
        <tr>
        <td style="padding: 30" align="center">
       
        <center>
        <table class="html_email_container" bgcolor="#FFFFFF" width="592" style="border: 1px solid #d2d2d2; border-collapse:collapse; text-align:left">
        <tr>
        <td style="font: 20px Verdana;height:42; padding: 15px 0 0 15px;">
       
        <a href="http://www.att.com/" style="color:#067ab4 !important"><img src="http://www.att.com/Common/images/email/service/emaillogo.gif" width="91" height="42" border="0"></a>
       
        <img src="http://www.att.com/Common/images/email/service/email1_attorange.jpg" width="590" height="11" border="0">
       
        <table width="590">
        <tr>
        <td valign="top" style="padding: 15px 0 0 15px">
        <div style="font: normal 24px Verdana; color: #fc7500; background-color: #ffffff;">Important computer safety notice from AT&amp;T Internet Services Security Center - Bot Traffic Detected</div>
        </td>
        </tr>
        </table>
       
        <table width="590">
        <tr>
        <td valign="top" align="right" style="padding: 15px 0 0 15px">
        <font size="2" face="Verdana" color="#656565" style="font-size:11px"><strong>Site ID: 062284680</strong><br>
        <strong>Primary Account Holder: AT&T Uverse customer</strong>
        </td>
        </tr>
        </table>
       
        <table width="590">
        <tr>
        <td valign="top" style="padding: 15px 15px 0 15px">
        <font size="2" face="Verdana" color="#656565" style="font-size:11px"><strong>Dear AT&T Uverse customer (Primary Account Holder),</strong><br>
        <br>
       
        AT&amp;T has received information indicating that a device using your Internet connection
        may be infected with malicious software. Internet traffic consistent with an infection was observed at Wed, 20 Nov 2013 12:29:58 +0000 from
        the IP address 108.237.111.32. Our records indicate that this IP address was assigned to you at this time.
        <br><br>
        The information indicates that your Internet connection was being used to provide DNS services to a
        zombie computer network, also known as a Botnet. Infection details:

<br><br>
        Type: Ransomware<br /> Source port: 55946<br /> Destination IP: 87.xx.xx.229<br /> Destination port: 80<br><br>
        Botnets are networks of compromised computers under the control of a
        hacker or group of hackers. Botnets are often used to conduct various
        attacks ranging from denial of service attacks on websites, to
        spamming, click fraud, and distribution of malicious software.
<br><br>
       
                To address this problem we ask that you immediately take the following
                steps to secure your network:
               
                <ol>
                <li>If your computer(s) are managed by an Information Technology (IT)
                   group at your place of work, then contact them immediately.
               
                <li>AT&amp;T offers a free online scan tool PC Health Check that will scan
                   for virus/spyware activity at <a style="color:#067ab4; text-decoration: none;" href="https://pccheck.att.com/">https://pccheck.att.com/</a>.
               
                <li>If your computer(s) are personally owned, then update the security
                   software on your system (follow the instructions on your vendor's
                   website). You might also consider installing new security software such
                   as AT&amp;T Security Suite; see <a style="color:#067ab4; text-decoration: none;" href="http://www.att.net/iss">http://www.att.net/iss</a>. (You must be logged in
                   with the Master Account ID to download AT&amp;T Security Suite).
               
                <li>If you are an advanced user, then consider reimaging your
                   computer(s) and installing the necessary software patches. If you prefer,
                   this can be done by a third party such as AT&amp;T Connect
                   Tech; see <a style="color:#067ab4; text-decoration: none;" href="https://remotesupport.att.com/index.aspx">https://remotesupport.att.com/index.aspx</a>. AT&amp;T Computer
                   consultants trained to clean infected machines may also be located in
                   your area.
               
                <li>In all cases, please respond by forwarding this email to
               <a style="color:#067ab4; text-decoration: none;" href="mailto:abuse@att.net">abuse@att.net</a> with an acknowledgement of: <i>&ldquo;I am taking steps to address
                   this infection.&rdquo;</i> When we receive such an acknowledgment, we can
                   maintain the high quality of service you expect from us. We welcome
                   feedback on what removal tools or methods were used.
                </ol>


       
        <P>Although the activity is likely unintentional, it is still in violation
        of AT&amp;T's Acceptable Use Policy. To review the AT&amp;T Acceptable Use
        Policy, go to <a style="color:#067ab4; text-decoration: none;" href="http://www.corp.att.com/aup/">http://www.corp.att.com/aup</A>.</P>
                        <P><strong>Below are some additional sites you can visit for tools or information:</strong></P>
       
                <ul>
                <li>AT&amp;T PC Health Check:
                <a style="color:#067ab4; text-decoration: none;" href="https://pccheck.att.com/">https://pccheck.att.com/</A>
               
                <li>Microsoft Security Essentials:
                <a style="color:#067ab4; text-decoration: none;" href="http://www.microsoft.com/security_essentials/">http://www.microsoft.com/security_essentials/</a>
               
                <li>Microsoft Safety Scanner:
                <a style="color:#067ab4; text-decoration: none;" href="http://www.microsoft.com/security/scanner/">http://www.microsoft.com/security/scanner/</a>
               
                <li>OS X Gatekeeper:
                <a style="color:#067ab4; text-decoration: none;" href="http://support.apple.com/kb/HT5290">http://support.apple.com/kb/HT5290</a>
                </ul>
       
                <P>We also recommend you run anti-spyware application, like Malwarebytes
                Anti-Malware or Spybot:
                <ul>
                <li><a style="color:#067ab4; text-decoration: none;" href="http://malwarebytes.org/mbam.php">http://malwarebytes.org/mbam.php</a>
                <li><a style="color:#067ab4; text-decoration: none;" href="http://www.safer-networking.org/en/index.html">http://www.safer-networking.org/en/index.html</a>
                </ul>
                </p>


        <P>Regards,</P>
        <P>AT&amp;T Internet Services Security Center</P>
       
       
        </td>
        </tr>
       
        <tr>
        <td valign="top" style="padding: 0 15px 0 15px">
        <font size="2" face="Verdana" color="#656565" style="font-size:11px">
        <br>
        <strong>DISCLAIMER: </strong>
        The information above contains links to software by
        third-party vendors (hereafter, &ldquo;the Software&rdquo;).  AT&amp;T is
        not responsible for support or assistance for any of the
        Software. If you need support or assistance with any of the
        Software, please contact the Software's vendor directly.
        AT&amp;T is unable to provide a warranty or guarantee, either
        expressed or implied, for any of the Software. You will be
        responsible for your own system software and system security
        and not hold AT&amp;T, its partners, agents or affiliates liable
        for any costs or damages whatsoever (including, without
        limitation, damages to access system, hardware and/or
        software) to your computer as a result of installing or
        using any of the Software. You also understand that use of
        all hardware and/or software must comply with the AT&T Acceptable Use Policy.
        </td>
        </tr>
       
        <tr>
        <td valign="top" style="padding: 15px 15px 0 15px">
        <font size="2" face="Verdana" color="#656565" style="font-size:9px">
        <strong>Important Note: This email contains links to various websites. You may copy and paste the URL(s) into your browser rather than clicking directly on the link.</strong></font>
        </td>
        </tr>
        </table>
        </td>
        </tr>
        </table>
        <br>
        <table width="592" style="border: 0; border-collapse:collapse; text-align:left">
        <tr>
        <td style="padding: 0 0 0 10px">
        <div style="font-size:10px; line-height: 150%; font-family: Verdana; color: #656565;">
         <a href="http://att.com/Trademark-Copyright-Privacy-Policy" title="AT&amp;T Intellectual Property" style="color:#067ab4; text-decoration: none;">&copy;2013 AT&amp;T  Intellectual Property</a>. All rights reserved. AT&amp;T, the AT&amp;T logo and all other AT&amp;T marks contained herein are trademarks of AT&amp;T Intellectual Property and/or AT&amp;T affiliated companies. All other marks contained herein are the property of their respective owners.
        <br>
        <a href="http://att.com/privacy" title="Privacy" style="color:#067ab4; text-decoration: none;">Privacy Policy</a> <span style="font-size:10px; font-family: Verdana; color: #FF0000;"> (Updated 06-29-13)</span>
       
        </div><img src="http://www.att.com/Common/images/email/Transactional_email/Spacer_White_1px.GIF" width="1" height="1"><br>
       
        </td>
        </tr>
        </table>


        <br>
        <br>
        <br>
        </td>
        </tr>
        </table>
       
        </center>
       
        </html>


--boundary-696481--
0
Comment
Question by:stevem5000
7 Comments
 
LVL 22

Accepted Solution

by:
Nick Rhode earned 500 total points
Comment Utility
That's a legit email, Your ISP is probably ATT and they detected malicious traffic from the IP address which would otherwise get the IP blacklisted.  

For assistance with removal you can try some of the steps within my article

http://www.experts-exchange.com/Security/Vulnerabilities/A_12285-Virus-Removal-Methods.html

Most likely there is a botnet paired with the virus currently on the system or some sort of rootkit causing the issue.
0
 
LVL 50

Expert Comment

by:jcimarron
Comment Utility
stevem5000--
Yes, I agree this email looks legit.
The most important thing would be to take the steps recommended by AT&T, such as the Health Check.

You may have learned of another, not documented, feature of CryptoLocker-- providing DNS services to a zombie computer network.
0
 
LVL 23

Expert Comment

by:DanCh99
Comment Utility
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 38

Expert Comment

by:Insignificant Volunteer
Comment Utility
Hi stevem5000

I realise that this question has been closed for a while, but I was just wondering whether you have had any repeat emails from AT&T.  The reason I ask is that a close "Internet friend" in America, who is also with AT&T, received much the same email with the difference that the Internet traffic was described as follows:

Type: ZeroAccess
Source port: 49195
Destination IP: 68.xx.xx.35
Destination port: 16465

The trojans are obviously different, but the content of the email is the same.  I am trying to clear up the PC over a remote connection (I'm in the UK), and the statement in their email that worried me a bit was the inference that they could (or would) suspend the Internet connection if the infection wasn't cleared timeously:

"Although the activity is likely unintentional, it is still in violation of AT&T's Acceptable Use Policy."

Just wondering whether you managed to get your Ransomware completely eradicated before more malicious traffic was sent and intercepted by AT&T.

Bill
0
 
LVL 2

Author Comment

by:stevem5000
Comment Utility
Hi Bill...
I did follow up with ATT...
Sent them an email, told them what happened, and what I did about it...

The next I got a auto response asking for log files and a few other things that
the normal home user would have no idea in the world what this stuff was...

And at that point...I figured because I got an auto response, nobody was reading my
email...so I have done nothing after that...

And unless I hear from them again I don;t expect to do anything more...

This Cryptolocker is a real piece of crap...I hope various governments get involved real soon and find the source and shut it down...

Hope this helps...
0
 
LVL 38

Expert Comment

by:Insignificant Volunteer
Comment Utility
It does, and thank you for taking the time to post back.  Agreed about the Cryptolocker malware.  Fortunately I haven't been personally affected.  The email from AT&T gives, as it's primary suggestion, the name of their online "PC Health Checkup".  This rivals Cryptolocker in terms of crappiness, albeit from the opposite side, and it seems they have jumped on the chance of a sales plug for their software.  It's handy to know my friend will get an auto-response when she emails them back to say that she is taking care of the issue.  Thanks again.
0
 
LVL 2

Author Comment

by:stevem5000
Comment Utility
And I really don't think an online utility named "PC Health Checkup" is going to do the  job of checking for CL and all the various things it does to a PC...

The more I read about it...I've come to believe it places a botnet on the PC and a DNS director...spills out spam and I suspect other things...

I'm of the opinion...reformat and reinstall...and really good backups...

For my home network I'm setting up a 3TB RAID1 NAS...and I'm putting Macrium Reflect on all machines...I have 6...and do an automatic
image once a week, compressed, encrypted and password...I don;t know for certain but I don';t think CL can spread it's junk to that kind of a backup...

Hopefully I won;t have to find out...:>)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

One of the features I've come to appreciate about Windows 7 and Windows Server 2008 R2 is the ability to pin applications to the task bar. As useful a feature as I've found this, it does have some quirks.  For example, have you ever tried pinning an…
First some basics on Windows 7 Backup.  It has 2 components one is a file based backup which is stored in .zip files each zip is split at around 200 Megabytes and there is the Image Backup which is as the name implies a total image of the partition …
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now