Solved

Crypte Locker and Botnets and ATT

Posted on 2013-11-22
7
4,105 Views
Last Modified: 2013-12-03
Had a fight with Cryptolocker...client had to pay the ransom as no backups...

Next day I get this email from ATT....

So my question is this...
1.  Is this a legitimate ATT email...???
2.  I am assuming the botnet is coming from the laptop I was getting decrypted as the
time indicated in the email is when Crypto was de-crypting the data...
3.  So I am assuming that while Crypto was de-crypting they were also installing
a botnet...

My first post on this Crypto issue....
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Windows_7/Q_28297517.html

Appreciate any help, thoughts and ideas...
Thanks
Steve

Sent from
AT&T IISS Network Security [netsec@att.net]

(I have deleted my IP address in the email...but the IP address ATT states in the email is my correct IP)

Content-Type: multipart/alternative; boundary="boundary-696481"
Message-Id: <mailbox-5096-1385055410-432875@hades.sgi.int>
Date: Thu, 21 Nov 2013 12:36:50 -0500
MIME-Version: 1.0

--boundary-696481
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Important computer safety notice from AT&T Internet Services Security Center - Bot Traffic Detected

Site ID: 062284680
Primary Account Holder: AT&T Uverse customer

Dear AT&T Uverse customer (Primary Account Holder),

AT&T has received information indicating that a device using your Internet connection may be infected with malicious software.
Internet traffic consistent with an infection was observed at Wed,
20 Nov 2013 12:29:58 +0000 from the IP address 1xx.2xx.1xx.xx. Our records indicate that this IP address was assigned to you at this time.

The information indicates that your Internet connection was being used to provide DNS services to a zombie computer network, also known as a Botnet. Infection details:

Type: Ransomware
Source port: 55946
Destination IP: 87.xx.xx.229
Destination port: 80

Botnets are networks of compromised computers under the control of a hacker or group of hackers. Botnets are often used to conduct various attacks ranging from denial of service attacks on websites, to spamming, click fraud, and distribution of malicious software.

To address this problem we ask that you immediately take the following steps to secure your network:

  1. If your computer(s) are managed by an Information Technology
    (IT) group at your place of work, then contact them
    immediately.

  2. AT&T offers a free online scan tool PC Health Check that will
    scan for virus/spyware activity at https://pccheck.att.com/.

  3. If your computer(s) are personally owned, then update the
    security software on your system (follow the instructions on
    your vendor's website). You might also consider installing new
    security software such as AT&T Security Suite; see
    http://www.att.net/iss. (You must be logged in with the Master
    Account ID to download AT&T Security Suite).

  4. If you are an advanced user, then consider reimaging your
    computer(s) and installing the necessary software patches. If
    you prefer, this can be done by a third party such as AT&T
    Connect Tech; see https://remotesupport.att.com/index.aspx.
    AT&T Computer consultants trained to clean infected machines
    may also be located in your area.

  5. In all cases, please respond by forwarding this email to
    abuse@att.net with an acknowledgement of: ?I am taking steps to
    address this infection.? When we receive such an
    acknowledgment, we can maintain the high quality of service you
    expect from us. We welcome feedback on what removal tools or
    methods were used.

Although the activity is likely unintentional, it is still in violation of AT&T's Acceptable Use Policy. To review the AT&T Acceptable Use Policy, go to http://www.corp.att.com/aup.

Below are some additional sites you can visit for tools or
information:

  * AT&T PC Health Check: https://pccheck.att.com/

  * Microsoft Security Essentials:
    http://www.microsoft.com/security_essentials/

  * Microsoft Safety Scanner:
    http://www.microsoft.com/security/scanner/

  * OS X Gatekeeper: http://support.apple.com/kb/HT5290

We also recommend you run anti-spyware application, like Malwarebytes Anti-Malware or Spybot:

  * http://malwarebytes.org/mbam.php

  * http://www.safer-networking.org/en/index.html

Regards,

AT&T Internet Services Security Center


DISCLAIMER: The information above contains links to software by third-party vendors (hereafter, ?the Software?). AT&T is not responsible for support or assistance for any of the Software. If you need support or assistance with any of the Software, please contact the Software's vendor directly. AT&T is unable to provide a warranty or guarantee, either expressed or implied, for any of the Software. You will be responsible for your own system software and system security and not hold AT&T, its partners, agents or affiliates liable for any costs or damages whatsoever (including, without limitation, damages to access system, hardware and/or
software) to your computer as a result of installing or using any of the Software. You also understand that use of all hardware and/or software must comply with the AT&T Acceptable Use Policy.

Important Note: This email contains links to various websites. You may copy and paste the URL(s) into your browser rather than clicking directly on the link.


?2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners.
Privacy Policy (Updated 06-29-13)

--boundary-696481
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

        <html>
            <head>
                <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"><title>Important computer safety notice from AT&amp;T Internet Services Security Center - Bot Traffic Detected</title>
                <style></style>
            </head>
        <table bgcolor="#ededed" width="100%" border="0">
        <tr>
        <td style="padding: 30" align="center">
       
        <center>
        <table class="html_email_container" bgcolor="#FFFFFF" width="592" style="border: 1px solid #d2d2d2; border-collapse:collapse; text-align:left">
        <tr>
        <td style="font: 20px Verdana;height:42; padding: 15px 0 0 15px;">
       
        <a href="http://www.att.com/" style="color:#067ab4 !important"><img src="http://www.att.com/Common/images/email/service/emaillogo.gif" width="91" height="42" border="0"></a>
       
        <img src="http://www.att.com/Common/images/email/service/email1_attorange.jpg" width="590" height="11" border="0">
       
        <table width="590">
        <tr>
        <td valign="top" style="padding: 15px 0 0 15px">
        <div style="font: normal 24px Verdana; color: #fc7500; background-color: #ffffff;">Important computer safety notice from AT&amp;T Internet Services Security Center - Bot Traffic Detected</div>
        </td>
        </tr>
        </table>
       
        <table width="590">
        <tr>
        <td valign="top" align="right" style="padding: 15px 0 0 15px">
        <font size="2" face="Verdana" color="#656565" style="font-size:11px"><strong>Site ID: 062284680</strong><br>
        <strong>Primary Account Holder: AT&T Uverse customer</strong>
        </td>
        </tr>
        </table>
       
        <table width="590">
        <tr>
        <td valign="top" style="padding: 15px 15px 0 15px">
        <font size="2" face="Verdana" color="#656565" style="font-size:11px"><strong>Dear AT&T Uverse customer (Primary Account Holder),</strong><br>
        <br>
       
        AT&amp;T has received information indicating that a device using your Internet connection
        may be infected with malicious software. Internet traffic consistent with an infection was observed at Wed, 20 Nov 2013 12:29:58 +0000 from
        the IP address 108.237.111.32. Our records indicate that this IP address was assigned to you at this time.
        <br><br>
        The information indicates that your Internet connection was being used to provide DNS services to a
        zombie computer network, also known as a Botnet. Infection details:

<br><br>
        Type: Ransomware<br /> Source port: 55946<br /> Destination IP: 87.xx.xx.229<br /> Destination port: 80<br><br>
        Botnets are networks of compromised computers under the control of a
        hacker or group of hackers. Botnets are often used to conduct various
        attacks ranging from denial of service attacks on websites, to
        spamming, click fraud, and distribution of malicious software.
<br><br>
       
                To address this problem we ask that you immediately take the following
                steps to secure your network:
               
                <ol>
                <li>If your computer(s) are managed by an Information Technology (IT)
                   group at your place of work, then contact them immediately.
               
                <li>AT&amp;T offers a free online scan tool PC Health Check that will scan
                   for virus/spyware activity at <a style="color:#067ab4; text-decoration: none;" href="https://pccheck.att.com/">https://pccheck.att.com/</a>.
               
                <li>If your computer(s) are personally owned, then update the security
                   software on your system (follow the instructions on your vendor's
                   website). You might also consider installing new security software such
                   as AT&amp;T Security Suite; see <a style="color:#067ab4; text-decoration: none;" href="http://www.att.net/iss">http://www.att.net/iss</a>. (You must be logged in
                   with the Master Account ID to download AT&amp;T Security Suite).
               
                <li>If you are an advanced user, then consider reimaging your
                   computer(s) and installing the necessary software patches. If you prefer,
                   this can be done by a third party such as AT&amp;T Connect
                   Tech; see <a style="color:#067ab4; text-decoration: none;" href="https://remotesupport.att.com/index.aspx">https://remotesupport.att.com/index.aspx</a>. AT&amp;T Computer
                   consultants trained to clean infected machines may also be located in
                   your area.
               
                <li>In all cases, please respond by forwarding this email to
               <a style="color:#067ab4; text-decoration: none;" href="mailto:abuse@att.net">abuse@att.net</a> with an acknowledgement of: <i>&ldquo;I am taking steps to address
                   this infection.&rdquo;</i> When we receive such an acknowledgment, we can
                   maintain the high quality of service you expect from us. We welcome
                   feedback on what removal tools or methods were used.
                </ol>


       
        <P>Although the activity is likely unintentional, it is still in violation
        of AT&amp;T's Acceptable Use Policy. To review the AT&amp;T Acceptable Use
        Policy, go to <a style="color:#067ab4; text-decoration: none;" href="http://www.corp.att.com/aup/">http://www.corp.att.com/aup</A>.</P>
                        <P><strong>Below are some additional sites you can visit for tools or information:</strong></P>
       
                <ul>
                <li>AT&amp;T PC Health Check:
                <a style="color:#067ab4; text-decoration: none;" href="https://pccheck.att.com/">https://pccheck.att.com/</A>
               
                <li>Microsoft Security Essentials:
                <a style="color:#067ab4; text-decoration: none;" href="http://www.microsoft.com/security_essentials/">http://www.microsoft.com/security_essentials/</a>
               
                <li>Microsoft Safety Scanner:
                <a style="color:#067ab4; text-decoration: none;" href="http://www.microsoft.com/security/scanner/">http://www.microsoft.com/security/scanner/</a>
               
                <li>OS X Gatekeeper:
                <a style="color:#067ab4; text-decoration: none;" href="http://support.apple.com/kb/HT5290">http://support.apple.com/kb/HT5290</a>
                </ul>
       
                <P>We also recommend you run anti-spyware application, like Malwarebytes
                Anti-Malware or Spybot:
                <ul>
                <li><a style="color:#067ab4; text-decoration: none;" href="http://malwarebytes.org/mbam.php">http://malwarebytes.org/mbam.php</a>
                <li><a style="color:#067ab4; text-decoration: none;" href="http://www.safer-networking.org/en/index.html">http://www.safer-networking.org/en/index.html</a>
                </ul>
                </p>


        <P>Regards,</P>
        <P>AT&amp;T Internet Services Security Center</P>
       
       
        </td>
        </tr>
       
        <tr>
        <td valign="top" style="padding: 0 15px 0 15px">
        <font size="2" face="Verdana" color="#656565" style="font-size:11px">
        <br>
        <strong>DISCLAIMER: </strong>
        The information above contains links to software by
        third-party vendors (hereafter, &ldquo;the Software&rdquo;).  AT&amp;T is
        not responsible for support or assistance for any of the
        Software. If you need support or assistance with any of the
        Software, please contact the Software's vendor directly.
        AT&amp;T is unable to provide a warranty or guarantee, either
        expressed or implied, for any of the Software. You will be
        responsible for your own system software and system security
        and not hold AT&amp;T, its partners, agents or affiliates liable
        for any costs or damages whatsoever (including, without
        limitation, damages to access system, hardware and/or
        software) to your computer as a result of installing or
        using any of the Software. You also understand that use of
        all hardware and/or software must comply with the AT&T Acceptable Use Policy.
        </td>
        </tr>
       
        <tr>
        <td valign="top" style="padding: 15px 15px 0 15px">
        <font size="2" face="Verdana" color="#656565" style="font-size:9px">
        <strong>Important Note: This email contains links to various websites. You may copy and paste the URL(s) into your browser rather than clicking directly on the link.</strong></font>
        </td>
        </tr>
        </table>
        </td>
        </tr>
        </table>
        <br>
        <table width="592" style="border: 0; border-collapse:collapse; text-align:left">
        <tr>
        <td style="padding: 0 0 0 10px">
        <div style="font-size:10px; line-height: 150%; font-family: Verdana; color: #656565;">
         <a href="http://att.com/Trademark-Copyright-Privacy-Policy" title="AT&amp;T Intellectual Property" style="color:#067ab4; text-decoration: none;">&copy;2013 AT&amp;T  Intellectual Property</a>. All rights reserved. AT&amp;T, the AT&amp;T logo and all other AT&amp;T marks contained herein are trademarks of AT&amp;T Intellectual Property and/or AT&amp;T affiliated companies. All other marks contained herein are the property of their respective owners.
        <br>
        <a href="http://att.com/privacy" title="Privacy" style="color:#067ab4; text-decoration: none;">Privacy Policy</a> <span style="font-size:10px; font-family: Verdana; color: #FF0000;"> (Updated 06-29-13)</span>
       
        </div><img src="http://www.att.com/Common/images/email/Transactional_email/Spacer_White_1px.GIF" width="1" height="1"><br>
       
        </td>
        </tr>
        </table>


        <br>
        <br>
        <br>
        </td>
        </tr>
        </table>
       
        </center>
       
        </html>


--boundary-696481--
0
Comment
Question by:stevem5000
7 Comments
 
LVL 22

Accepted Solution

by:
Nick Rhode earned 500 total points
ID: 39669369
That's a legit email, Your ISP is probably ATT and they detected malicious traffic from the IP address which would otherwise get the IP blacklisted.  

For assistance with removal you can try some of the steps within my article

http://www.experts-exchange.com/Security/Vulnerabilities/A_12285-Virus-Removal-Methods.html

Most likely there is a botnet paired with the virus currently on the system or some sort of rootkit causing the issue.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 39669587
stevem5000--
Yes, I agree this email looks legit.
The most important thing would be to take the steps recommended by AT&T, such as the Health Check.

You may have learned of another, not documented, feature of CryptoLocker-- providing DNS services to a zombie computer network.
0
 
LVL 23

Expert Comment

by:Danny Child
ID: 39670623
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 38

Expert Comment

by:BillDL
ID: 39691939
Hi stevem5000

I realise that this question has been closed for a while, but I was just wondering whether you have had any repeat emails from AT&T.  The reason I ask is that a close "Internet friend" in America, who is also with AT&T, received much the same email with the difference that the Internet traffic was described as follows:

Type: ZeroAccess
Source port: 49195
Destination IP: 68.xx.xx.35
Destination port: 16465

The trojans are obviously different, but the content of the email is the same.  I am trying to clear up the PC over a remote connection (I'm in the UK), and the statement in their email that worried me a bit was the inference that they could (or would) suspend the Internet connection if the infection wasn't cleared timeously:

"Although the activity is likely unintentional, it is still in violation of AT&T's Acceptable Use Policy."

Just wondering whether you managed to get your Ransomware completely eradicated before more malicious traffic was sent and intercepted by AT&T.

Bill
0
 
LVL 2

Author Comment

by:stevem5000
ID: 39692449
Hi Bill...
I did follow up with ATT...
Sent them an email, told them what happened, and what I did about it...

The next I got a auto response asking for log files and a few other things that
the normal home user would have no idea in the world what this stuff was...

And at that point...I figured because I got an auto response, nobody was reading my
email...so I have done nothing after that...

And unless I hear from them again I don;t expect to do anything more...

This Cryptolocker is a real piece of crap...I hope various governments get involved real soon and find the source and shut it down...

Hope this helps...
0
 
LVL 38

Expert Comment

by:BillDL
ID: 39693010
It does, and thank you for taking the time to post back.  Agreed about the Cryptolocker malware.  Fortunately I haven't been personally affected.  The email from AT&T gives, as it's primary suggestion, the name of their online "PC Health Checkup".  This rivals Cryptolocker in terms of crappiness, albeit from the opposite side, and it seems they have jumped on the chance of a sales plug for their software.  It's handy to know my friend will get an auto-response when she emails them back to say that she is taking care of the issue.  Thanks again.
0
 
LVL 2

Author Comment

by:stevem5000
ID: 39693122
And I really don't think an online utility named "PC Health Checkup" is going to do the  job of checking for CL and all the various things it does to a PC...

The more I read about it...I've come to believe it places a botnet on the PC and a DNS director...spills out spam and I suspect other things...

I'm of the opinion...reformat and reinstall...and really good backups...

For my home network I'm setting up a 3TB RAID1 NAS...and I'm putting Macrium Reflect on all machines...I have 6...and do an automatic
image once a week, compressed, encrypted and password...I don;t know for certain but I don';t think CL can spread it's junk to that kind of a backup...

Hopefully I won;t have to find out...:>)
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question