Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Trojan Blocked on My firewall help

Posted on 2016-07-15
18
Medium Priority
?
364 Views
Last Modified: 2016-08-02
Hi I have noticed this on my firewall. I have checked IP and it belongs Azure Microsoft what is going here?

trojan---Copy.JPG
0
Comment
Question by:yodaa
  • 6
  • 5
  • 5
  • +2
18 Comments
 
LVL 37

Expert Comment

by:Kimputer
ID: 41712986
For now, I'm just assuming one PC/server on your network with IP nr 192.168.0.151 is trying to get the Agent.FL/Trojan executable on that 13.107.4.50 server. And it probably failed, so it's all good.
Though, try to find out who initiated it (of course, probably the person behind that PC or server), but try to figure out, if it was an email, or something else that lead the user to click on the URL or executable.
Of course, it _COULD_ also mean the Trojan was already on that PC, and it just connected to that IP to look for new commands to execute. In that case, you have to take that PC/server offline, and do a full scan.
1
 
LVL 99

Expert Comment

by:John Hurst
ID: 41712989
13.107.4.50 is a Microsoft site (whois lookup) and the local computer may simply be looking for Microsoft.

Have you scanned this machine for malware?  Scan also with Malwarebytes.
1
 

Author Comment

by:yodaa
ID: 41712992
So it could be false positive ?

as on this time I was doing the windows updates on this machine

I'm running malwerbytes now
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 99

Expert Comment

by:John Hurst
ID: 41712995
Yes, it could be a false positive.
1
 
LVL 37

Expert Comment

by:Kimputer
ID: 41713028
While it's unfortunate this MS IP nr is (or apparently WAS) used as a Windows Update server, there are still signs that something is amiss. According to VirusTotal, quite some malware from the past day have been malware that tries to communicate with this IP nr (I assume someone probably hacked it, to redistribute malware or to use it as a Command & Control center. Could even be a typo on the hackers part).
Therefore, the assumption that you in fact have malware on this server/PC on that local IP nr is quite easy to make. The false positive assumption is sadly because this IP nr belongs to MS, if wouldn't even come up if it was an unknown Russian IP.
https://www.virustotal.com/en/ip-address/13.107.4.50/information/ (this is the part I'm talking about: Latest detected files that communicate with this IP address
Latest files submitted to VirusTotal that are detected by one or more antivirus solutions and communicate with the IP address provided when executed in a sandboxed environment.)
1
 

Author Comment

by:yodaa
ID: 41713032
Kimputer

"Therefore, the assumption that you in fact have malware on this server/PC on that local IP nr is quite easy to make. The false positive assumption is sadly because this IP nr belongs to MS, if wouldn't even come up if it was an unknown Russian IP."

Sorry but I don't get it, please could you explain this for me more clearly please
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 41713036
I was doing the windows updates on this machine  <-- And your machine would be going out to Microsoft to do this.
1
 
LVL 37

Expert Comment

by:Kimputer
ID: 41713045
VirusTotal received a lot of malware today. They take the malware, and run it (in a sandbox). They found out, more than a bunch of that malware submitted today, will look for that server 13.107.4.50 to get info or download stuff (not important for now).
The question now is, did your firewall block on the logic of:
- I scanned this traffic, it's bad traffic, there's malware talking on this 13.107.4.50 <> 192.168.0.151 line,
I'll block it now
THEN your PC has malware

OR

- I scanned this traffic, and in some database, it marked IP 13.107.4.50 as bad. I don't even care if it's for MS updates, I'll just mark it as bad anyway. Could be even just normal traffic.
THEN it's a false positive.

For now, I'm leaning more towards malware, it looks more like the server at 13.107.4.50 has been taken offline, probably to investigate these reports:

<h2>Our services aren't available right now</h2><p>We're working to restore all services as soon as possible. Please check back soon.</p>Ref A: FBABD80FECD2466DBF25A80EFC62A66D Ref B: 56574FD253F08480EBE49E94638C097F Ref C: Fri Jul 15 08:38:46 2016 PST
1
 

Author Comment

by:yodaa
ID: 41713049
Yes John that correct and actually it did not update one windows update.
0
 

Author Comment

by:yodaa
ID: 41713059
I have scanned this PC with Malwerbytes and Trend its clean.
What else can I do?
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 41713064
Put it down for a while (say until tomorrow). Then try updating Windows again and see what you get.
1
 
LVL 37

Expert Comment

by:Kimputer
ID: 41713065
Finish one with more offline scan (antivirus boot dvd/usb).
1
 

Author Comment

by:yodaa
ID: 41713067
Okay which one ?
0
 
LVL 37

Expert Comment

by:bbao
ID: 41713083
> 13.107.4.50 is a Microsoft site (whois lookup) and the local computer may simply be looking for Microsoft.

you can't believe this IP is safe simply because its owner is Microsoft.

the IP range from 13.64.0.0 to 13.107.255.255 (2,883,584 IPs!) is for MS Azure hence heaps of third party cloud based services, including malware services, are running there though its ultimate owner is Microsoft.
1
 

Author Comment

by:yodaa
ID: 41713086
Okay so what else should I do?

Format this computer ?
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 41713090
Turn the computer off, try a different computer out the same firewall. See if you get the same results.

If not, consider formatting the computer.

If Windows 7, use the recent rollup site to get most of the updates after SP1.

https://support.microsoft.com/en-ca/kb/3125574
1
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 41713613
only Bkav (1/55) is flagging it as a virus.. and it is a windows defender update signed by microsoft authenticode. It is a false positive.
1
 
LVL 37

Accepted Solution

by:
Kimputer earned 2000 total points
ID: 41716981
It would be a false positive if most Windows update servers were reported (not where you're looking, I already explained I looked at "Latest detected files that communicate with this IP address". However, I checked others, and they're clean (or at least for this year). It clearly means this server was targeted for whatever reason, and it's too much of a coincidence that the server was taken offline, while the reports of analyzed malware keep trying to connect to it.
It's more likely the firewall detected the malware connection, than having it mark the connection as a false positive. If it wasn't a firewall, but the virus scanner, you maybe could argue it could be a false positive IF IT used the same engine Bkav engine, but it's not a virus scanner, it was the traffic that alerted the firewall.
Original asker can confirm this, if the Firewall works in conjunction with antivirus INSTALLED on the computer. If there's no such software, the firewall can't detect the malware, only the traffic, meaning, it's not a false positive, it really scanned the traffic only and that fired off the alert.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It is a real story and is one of my scariest tech experiences. Most users think that IT experts like us know how to fix all computer problems. However, if there is a time constraint and you MUST not fail the task or you will lose your job, a simple …
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question