Link to home
Start Free TrialLog in
Avatar of yodaa
yodaa

asked on

Trojan Blocked on My firewall help

Hi I have noticed this on my firewall. I have checked IP and it belongs Azure Microsoft what is going here?

User generated image
Avatar of Kimputer
Kimputer

For now, I'm just assuming one PC/server on your network with IP nr 192.168.0.151 is trying to get the Agent.FL/Trojan executable on that 13.107.4.50 server. And it probably failed, so it's all good.
Though, try to find out who initiated it (of course, probably the person behind that PC or server), but try to figure out, if it was an email, or something else that lead the user to click on the URL or executable.
Of course, it _COULD_ also mean the Trojan was already on that PC, and it just connected to that IP to look for new commands to execute. In that case, you have to take that PC/server offline, and do a full scan.
13.107.4.50 is a Microsoft site (whois lookup) and the local computer may simply be looking for Microsoft.

Have you scanned this machine for malware?  Scan also with Malwarebytes.
Avatar of yodaa

ASKER

So it could be false positive ?

as on this time I was doing the windows updates on this machine

I'm running malwerbytes now
Yes, it could be a false positive.
While it's unfortunate this MS IP nr is (or apparently WAS) used as a Windows Update server, there are still signs that something is amiss. According to VirusTotal, quite some malware from the past day have been malware that tries to communicate with this IP nr (I assume someone probably hacked it, to redistribute malware or to use it as a Command & Control center. Could even be a typo on the hackers part).
Therefore, the assumption that you in fact have malware on this server/PC on that local IP nr is quite easy to make. The false positive assumption is sadly because this IP nr belongs to MS, if wouldn't even come up if it was an unknown Russian IP.
https://www.virustotal.com/en/ip-address/13.107.4.50/information/ (this is the part I'm talking about: Latest detected files that communicate with this IP address
Latest files submitted to VirusTotal that are detected by one or more antivirus solutions and communicate with the IP address provided when executed in a sandboxed environment.)
Avatar of yodaa

ASKER

Kimputer

"Therefore, the assumption that you in fact have malware on this server/PC on that local IP nr is quite easy to make. The false positive assumption is sadly because this IP nr belongs to MS, if wouldn't even come up if it was an unknown Russian IP."

Sorry but I don't get it, please could you explain this for me more clearly please
I was doing the windows updates on this machine  <-- And your machine would be going out to Microsoft to do this.
VirusTotal received a lot of malware today. They take the malware, and run it (in a sandbox). They found out, more than a bunch of that malware submitted today, will look for that server 13.107.4.50 to get info or download stuff (not important for now).
The question now is, did your firewall block on the logic of:
- I scanned this traffic, it's bad traffic, there's malware talking on this 13.107.4.50 <> 192.168.0.151 line,
I'll block it now
THEN your PC has malware

OR

- I scanned this traffic, and in some database, it marked IP 13.107.4.50 as bad. I don't even care if it's for MS updates, I'll just mark it as bad anyway. Could be even just normal traffic.
THEN it's a false positive.

For now, I'm leaning more towards malware, it looks more like the server at 13.107.4.50 has been taken offline, probably to investigate these reports:

<h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p>Ref A: FBABD80FECD2466DBF25A80EFC62A66D Ref B: 56574FD253F08480EBE49E94638C097F Ref C: Fri Jul 15 08:38:46 2016 PST
Avatar of yodaa

ASKER

Yes John that correct and actually it did not update one windows update.
Avatar of yodaa

ASKER

I have scanned this PC with Malwerbytes and Trend its clean.
What else can I do?
Put it down for a while (say until tomorrow). Then try updating Windows again and see what you get.
Finish one with more offline scan (antivirus boot dvd/usb).
Avatar of yodaa

ASKER

Okay which one ?
> 13.107.4.50 is a Microsoft site (whois lookup) and the local computer may simply be looking for Microsoft.

you can't believe this IP is safe simply because its owner is Microsoft.

the IP range from 13.64.0.0 to 13.107.255.255 (2,883,584 IPs!) is for MS Azure hence heaps of third party cloud based services, including malware services, are running there though its ultimate owner is Microsoft.
Avatar of yodaa

ASKER

Okay so what else should I do?

Format this computer ?
Turn the computer off, try a different computer out the same firewall. See if you get the same results.

If not, consider formatting the computer.

If Windows 7, use the recent rollup site to get most of the updates after SP1.

https://support.microsoft.com/en-ca/kb/3125574
only Bkav (1/55) is flagging it as a virus.. and it is a windows defender update signed by microsoft authenticode. It is a false positive.
ASKER CERTIFIED SOLUTION
Avatar of Kimputer
Kimputer

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial