Solved

Trojan Blocked on My firewall help

Posted on 2016-07-15
18
126 Views
Last Modified: 2016-08-02
Hi I have noticed this on my firewall. I have checked IP and it belongs Azure Microsoft what is going here?

trojan---Copy.JPG
0
Comment
Question by:yodaa
  • 6
  • 5
  • 5
  • +2
18 Comments
 
LVL 35

Expert Comment

by:Kimputer
ID: 41712986
For now, I'm just assuming one PC/server on your network with IP nr 192.168.0.151 is trying to get the Agent.FL/Trojan executable on that 13.107.4.50 server. And it probably failed, so it's all good.
Though, try to find out who initiated it (of course, probably the person behind that PC or server), but try to figure out, if it was an email, or something else that lead the user to click on the URL or executable.
Of course, it _COULD_ also mean the Trojan was already on that PC, and it just connected to that IP to look for new commands to execute. In that case, you have to take that PC/server offline, and do a full scan.
1
 
LVL 90

Expert Comment

by:John Hurst
ID: 41712989
13.107.4.50 is a Microsoft site (whois lookup) and the local computer may simply be looking for Microsoft.

Have you scanned this machine for malware?  Scan also with Malwarebytes.
1
 

Author Comment

by:yodaa
ID: 41712992
So it could be false positive ?

as on this time I was doing the windows updates on this machine

I'm running malwerbytes now
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41712995
Yes, it could be a false positive.
1
 
LVL 35

Expert Comment

by:Kimputer
ID: 41713028
While it's unfortunate this MS IP nr is (or apparently WAS) used as a Windows Update server, there are still signs that something is amiss. According to VirusTotal, quite some malware from the past day have been malware that tries to communicate with this IP nr (I assume someone probably hacked it, to redistribute malware or to use it as a Command & Control center. Could even be a typo on the hackers part).
Therefore, the assumption that you in fact have malware on this server/PC on that local IP nr is quite easy to make. The false positive assumption is sadly because this IP nr belongs to MS, if wouldn't even come up if it was an unknown Russian IP.
https://www.virustotal.com/en/ip-address/13.107.4.50/information/ (this is the part I'm talking about: Latest detected files that communicate with this IP address
Latest files submitted to VirusTotal that are detected by one or more antivirus solutions and communicate with the IP address provided when executed in a sandboxed environment.)
1
 

Author Comment

by:yodaa
ID: 41713032
Kimputer

"Therefore, the assumption that you in fact have malware on this server/PC on that local IP nr is quite easy to make. The false positive assumption is sadly because this IP nr belongs to MS, if wouldn't even come up if it was an unknown Russian IP."

Sorry but I don't get it, please could you explain this for me more clearly please
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41713036
I was doing the windows updates on this machine  <-- And your machine would be going out to Microsoft to do this.
1
 
LVL 35

Expert Comment

by:Kimputer
ID: 41713045
VirusTotal received a lot of malware today. They take the malware, and run it (in a sandbox). They found out, more than a bunch of that malware submitted today, will look for that server 13.107.4.50 to get info or download stuff (not important for now).
The question now is, did your firewall block on the logic of:
- I scanned this traffic, it's bad traffic, there's malware talking on this 13.107.4.50 <> 192.168.0.151 line,
I'll block it now
THEN your PC has malware

OR

- I scanned this traffic, and in some database, it marked IP 13.107.4.50 as bad. I don't even care if it's for MS updates, I'll just mark it as bad anyway. Could be even just normal traffic.
THEN it's a false positive.

For now, I'm leaning more towards malware, it looks more like the server at 13.107.4.50 has been taken offline, probably to investigate these reports:

<h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p>Ref A: FBABD80FECD2466DBF25A80EFC62A66D Ref B: 56574FD253F08480EBE49E94638C097F Ref C: Fri Jul 15 08:38:46 2016 PST
1
 

Author Comment

by:yodaa
ID: 41713049
Yes John that correct and actually it did not update one windows update.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:yodaa
ID: 41713059
I have scanned this PC with Malwerbytes and Trend its clean.
What else can I do?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41713064
Put it down for a while (say until tomorrow). Then try updating Windows again and see what you get.
1
 
LVL 35

Expert Comment

by:Kimputer
ID: 41713065
Finish one with more offline scan (antivirus boot dvd/usb).
1
 

Author Comment

by:yodaa
ID: 41713067
Okay which one ?
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 41713083
> 13.107.4.50 is a Microsoft site (whois lookup) and the local computer may simply be looking for Microsoft.

you can't believe this IP is safe simply because its owner is Microsoft.

the IP range from 13.64.0.0 to 13.107.255.255 (2,883,584 IPs!) is for MS Azure hence heaps of third party cloud based services, including malware services, are running there though its ultimate owner is Microsoft.
1
 

Author Comment

by:yodaa
ID: 41713086
Okay so what else should I do?

Format this computer ?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41713090
Turn the computer off, try a different computer out the same firewall. See if you get the same results.

If not, consider formatting the computer.

If Windows 7, use the recent rollup site to get most of the updates after SP1.

https://support.microsoft.com/en-ca/kb/3125574
1
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41713613
only Bkav (1/55) is flagging it as a virus.. and it is a windows defender update signed by microsoft authenticode. It is a false positive.
1
 
LVL 35

Accepted Solution

by:
Kimputer earned 500 total points
ID: 41716981
It would be a false positive if most Windows update servers were reported (not where you're looking, I already explained I looked at "Latest detected files that communicate with this IP address". However, I checked others, and they're clean (or at least for this year). It clearly means this server was targeted for whatever reason, and it's too much of a coincidence that the server was taken offline, while the reports of analyzed malware keep trying to connect to it.
It's more likely the firewall detected the malware connection, than having it mark the connection as a false positive. If it wasn't a firewall, but the virus scanner, you maybe could argue it could be a false positive IF IT used the same engine Bkav engine, but it's not a virus scanner, it was the traffic that alerted the firewall.
Original asker can confirm this, if the Firewall works in conjunction with antivirus INSTALLED on the computer. If there's no such software, the firewall can't detect the malware, only the traffic, meaning, it's not a false positive, it really scanned the traffic only and that fired off the alert.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now