Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I've never seen unknown malware hide like this


  • Please log in to reply
1 reply to this topic

#1 CrackedPepper

CrackedPepper

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:39 AM

Posted 12 May 2016 - 02:01 PM

I have a PC that is triggering alarms in my unified threat management system (AlienVault).  The directive that causes the alarm is:  

 

AV Malware, the DNS server replied with a sinkhole address, infected host resolving a CnC domain - Anubis Sinkhole.

 

AlienVault points back to the PC that appears to be infected as well as external IP address 206.124.65.253 (the sinkhole) and my internal DNS address.  The payload indicates that the site pghmom.com is involved.  The alarm can be triggered at will by going to the the URL.  The event is triggered only active when Internet Explorer is loaded.

 

A URL scan using https://sitecheck.sucuri.net/results/pghmom.com yielded the following negative reports:

 
Malware: Not Detected (Low Risk)
Website Blacklisting: Not Detected (Low Risk)
Injected SPAM: Not Detected (Low Risk)
Defacements: Not Detected (Low Risk)
 
virustotal.com reports that 2 of 57 sites found issues with pghmom.com and a 3rd found it suspicious:
Websense ThreatSeeker: Malicious site
Fortinet: Malware site
CLEAN MX: Suspicious site
 
The system has been taken off the network even though Wireshark traces indicate that there is no data exfiltration and the external IP address 206.124.65.253 has been blocked at the firewall.
 

All anti-rootkit (MalwareBytes, Kaspersky, SysInternals) antivirus scans (ESET, Webroot, Bitdefender, F-Secure OnlineScanner) and anti-malware scans (MalwareBytes, SuperAntispyware, Zemana) came up negative.

 
Not sure what else to try except some of the advanced tools used by the experts here.  Can anyone help solve this?

Edited by CrackedPepper, 12 May 2016 - 03:03 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,414 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:39 AM

Posted 13 May 2016 - 12:16 PM

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

DO NOT bump your new topic. Wait for a response from one of the Team Members.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users