Network saturated in malware, every computer!


  1. Posts : 2
    win 10
       #1

    Network saturated in malware, every computer!


    So major issues after suspecting malware for awhile ... I finally found it (more on that in a second). The issue is my whole home network must be infected (according to the cve that is what this malware does).
    That includes Chromecast, printer, 2 windows desktops, 1 Linux laptop, 2 iPhone, iPad, usb storage, hdds and router. The only way I was able to find this malware is by using a live (Ubuntu) os and scanning the windows drives with av.

    Here are the CVEs:
    win.torojan.rammit-7106
    swf.Exploit.cve_2016_7872-5855317-0
    swf.Exploit.cve_2016_7879-5889229-0
    win.trojan.generic-6563181
    win.trojan.generic-6563205
    win.Dropper.Yeehbar-6567740-0
    This hacker also put malware into my Linux system by taking over a login in client. I was not able to find the any explicit malware but I think they got in through Firefox.

    Also a internal port scan of my router:
    22/tcp filtered ssh
    23/tcp filtered telnet
    53/tcp open domain
    80/tcp open http
    443/tcp open https
    49152/tcp open unknown
    49153/tcp open unknown
    49154/tcp open unknown
    What really concerns me about this is what are the unknown ports, ssh and telnet,
    the router basically default nothing special it is isp cisco router.

    So what I have planned to do:
    -Take all apple devices to apple store have them run diagnostics/ av on them.
    -get a new router
    -reinstall windows/Linux on devices (with trusted usb sticks)
    -put all valuable files on one new storage device go through data and scan device

    Here are my concerns:
    -How do I know the printer is safe and malware free (seams like a great attack vector)?
    -How do I know the Chromecast is safe?
    -Can malware take over laptop/desktop/printer/etc firmware?
    -Would using Linux to erase the storage devices be enough (as such ... )
    bash >> clamscan <> <drive>
    bash >> mv /good/files /trusted/drive
    bash >> shred -vzn 1 <drive>
    bash >> fdisk -u #to make new partition table
    bash >> mkfs.ntfs <part>
    would that handle all types of malware or can it hide from Linux or freedos?

    My passwords are very strong for example: tUrnip55Tr35D0tFY which would be tough to break,
    but my parents won't not use there last name is there anything I do to make their computers/ipads more secure. Thanks in advance this has caused really big problems in my life, like deleting my homework, causing me to drop out of school and I'm scared who ever is doing this is going to steal my identity; leave me with nothing if they haven't already. Please any advice you can give I really can't understand why some
    one has done this to me but at the very least I can try and get rid of it.
      My Computer


  2. Posts : 30,077
    Windows 11 Pro x64 Version 23H2
       #2

    Hi rickyrickyboby.

    Can you point us to the article which shows what this malware can attack.

    Not doubting you but this would be a weaponized malware. These are very diverse systems.

    For your router if you do the full firmware reset, where you hold in the reset button, base firmware will be reloaded. You need to read instructions for your particular device as to timings etc.

    As to your iPhones if you you use iTunes you can restore the devices to factory original. The restore downloads code and restores from this fresh copy.

    Once you removed the malware from all your computers and phones connect one back on your network, give it an hour or so and the rerun the scan you used to find the malware originally to see if machine has become re-infected.

    I know getting infected can be very troublesome and the fact that someone may have your data can be frightening. That said becoming infected is something that happens to thousands of people and organizations. I don't believe you were personally targeted rather the hook was put in the water and someone bit.

    Clean your machines, reset your phones and router. Change your passwords and then monitor your accounts. As to your parents I would set them up Standard users. Have the talk about clicking on links and opening attachments, explain how these are used as attack vectors and that curiosity kills the cat. You could even look at connecting another router to the home router and create your own IP range which should limit infections from their addresses finding yours.
      My Computer


  3. Posts : 16,325
    W10Prox64
       #3

    rickyrickyboby said:
    [snip...]
    Here are my concerns:
    -How do I know the printer is safe and malware free (seams like a great attack vector)?
    -How do I know the Chromecast is safe?
    -Can malware take over laptop/desktop/printer/etc firmware?
    -Would using Linux to erase the storage devices be enough (as such ... )
    bash >> clamscan <> <drive>
    bash >> mv /good/files /trusted/drive
    bash >> shred -vzn 1 <drive>
    bash >> fdisk -u #to make new partition table
    bash >> mkfs.ntfs <part>
    would that handle all types of malware or can it hide from Linux or freedos?

    My passwords are very strong for example: tUrnip55Tr35D0tFY which would be tough to break,
    but my parents won't not use there last name is there anything I do to make their computers/ipads more secure. Thanks in advance this has caused really big problems in my life, like deleting my homework, causing me to drop out of school and I'm scared who ever is doing this is going to steal my identity; leave me with nothing if they haven't already. Please any advice you can give I really can't understand why some
    one has done this to me but at the very least I can try and get rid of it.
    Hi.
    So sorry to hear this! You really have to drop out of school because of it?
    Ramnit is a worm - that's how it spread to everything on the network. The Ramnit botnet was taken down about 3 years ago. (That doesn't mean it can't harm you though.)

    As Ken suggested, reset the i-devices to factory condition, look up how to reset your router to factory condition, or buy a new one. Once you get the router sorted, make sure it has the latest firmware.

    I believe if you nuke all your hard drives you should be able to get rid of it. Ramnit does infect the MBR.
    I don't think Ramnit actually "infects" printers. If the printer emits its own wireless SSID, turn that off for safety.

    Some other suggestions:
    Reset the Chromecast to factory condition.
    Reinstall Windows and Linux to computers after nuking the drives.
    Use Symantec's Ramnit Removal Tool to scan your data drive(s).
    Use Panda's USB Vaccine on all Windows computers (this is usually how a lot of infections get in).
    Always put IoT devices on a guest network.
    You could also put your parents' i-devices on the guest network to help wall them off from your stuff.
    (As Ken said) put your parents on a Standard User Account, and have an Admin account available for when it's needed. (Unfortunately, I think Ramnit would infect standard accounts as well. But that precaution will prevent a lot of other problems.)
    Make all network connections in Windows devices "public".
    Check your email addresses regularly for pwnage here.
    If you saved passwords in any of your devices, change them all from a known-clean system on a known-clean network.
    If need be, place a fraud alert on your credit files and renew it every three months.

    Your parents must change their Apple passwords, and they need to add numbers and special characters now. Have them add numbers easy to remember like house or phone digits, and then put a pound sign or something else at the end of it. Strong passwords and two-factor-verification are essential these days. Set up the 2F verification on everything that has it available now.

    I would also suggest Malwarebytes Pro and Zonealarm free firewall for their Windows systems. I believe Malwarebytes also have a version for i-devices (not positive about phones and tablets, but they do for computers).

    If you have any credit cards saved in online accounts (i.e. Amazon), or if you had any banking info at all on any of the affected devices, call your bank(s) and have them cancelled and re-issued.

    There are some additional recommendations at the bottom of this page.

    Ramnit is a bear to get rid of. Having a Macrium backup of your computers would be an easy restore for those, but the rest of the network requires a lot of work. Good luck.
    Last edited by simrick; 09 Jun 2018 at 17:18.
      My Computer


  4. Posts : 2
    win 10
    Thread Starter
       #4

    Thanks a ton for the help guys.
    @ken
    I did a little research on Cisco routers and I think the issues is the worm can remotely reconfigure those things very easily which leaves man in middle, port forwarding, etc a very permanent vulnerability as long as they have my pub IP and/or pwnd at least one of computers. I'm getting a new router/modem from my ISP and additionally and a second router that isn't vulnerability to this. I did a deeper scan of my current router and confirmed it is still infected even after resting and reinstalling everything but iphones/ipad/chromecast/printer. There is a x display service running that's port forwarding (gives the ability to view my Linux screen remotely). I certainly hope this wasn't personal but it seams soo tailored. Crazy that a worm can be that sophisticated. The two windows accounts is a great idea, now I just have to convince my dad to replace his ipad 1 with something more modern. @simrick
    I had no idea it was such a widespread attack and again amazing that it can live in home networks for this long and remain undetected by windows defender. The thing with school is I was trying to build networking/service apps which required a fresh Linux os or vm/etc this malware would propagate and f*** the os or cause major networking issues, so yeah its not why I dropped out of school it just stressed me out when I was near a breaking point and my apologies for including that was just a bit stressed when i discovered this. I'm going to research usb propagating malware by using metasploit to put some on a few drives (with an old/networked computer) and see what they do with wireshark.... I feel like it goes deeper than just new partition table but I guess I'll figure that out (unless your certain a new table/fs would solve the problem? (I don't know how hardware works at a lower level but if you do; please do explain!)). I will try/test both synaptic's tools and panada's usb cleaner. This is a bit unrelated but have you tried wbadmin for windows shadow copies, I've never used Macrium is it worth it? Thanks a ton for the info; your right this will be a lot of work.

    I'll post how I get ride of this when I'm sure its gone in case someone finds the same bs. If anyone is wondering how to find it like i said live os (like Ubuntu), antivirus (like clamav), I also needed to use a vpn to even download clamav database properly.
      My Computer


  5. Posts : 16,325
    W10Prox64
       #5

    Okay glad this wasn't the reason you dropped out of school..
    I believe the Ramnit worm goes as deep as the MBR, so nuking the drive would remove it. BUT, the trojans that got in allow other things to be downloaded, so perhaps we don't know everything that was infecting you completely. This is why I suggest the other things like Haveibeenpwned and fraud alerts, re-issuing credit cards, changing all passwords, etc.

    The router issues you identified are definitely a problem. Once you've got a clean router, update the firmware, change the default password used for setting up the router, setup a guest wifi account as well as a regular wifi SSID.

    It will be good to have your input for others on how you finally get rid of this infection.

    Macrium Reflect have a free version, which is all you need, I'm sure. If you have images of all systems, you can simply restore the images, and not have to clean stuff out. We also have a tutorial here in the forums on how to use it. It's highly recommended, and used by many members.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 06:11.
Find Us




Windows 10 Forums