This is going to be a long one, sorry. Let me start by saying that I am a professional in the field (web systems engineer) so have a pretty good working knowledge of systems and networks.
I recently (6/28/16) received an email from my ISP (Cox) stating that they detected a ZBot infection from my network, due to access of a known C&C server. I inspected the email headers to ensure that the email did in fact come from Cox and it appears to be legitimate.
I can post the URL that they said my network had contacted, but was not sure if I should do that in this forum or not, given the stated rules. Since my systems are behind a router locally Cox was (obviously) not able to tell which system on my side this traffic came from, but I only have one personal Windows system running at the moment. There are also a few Android devices, a smart TV, and Xbox One.
We use OpenDNS (free version) for our DNS services here, and the OpenDNS server IPs are configured directly on the router. All devices within the network use DHCP and pull the correct IPs for DNS services from the router as expected (FYI -- router is a DLink DIR-655 on the latest firmware). I have confirmed that all of this still appears to be in place and that OpenDNS is recording queries coming through it. I also confirmed that the specific URL that Cox flagged was indeed seen in the OpenDNS logs on 6/28/16. This part seemed a little strange to me -- that Cox was able to determine that this URL was accessed even though the DNS resolution did not occur on Cox DNS servers. But I wrote this off to them doing some sort of packet inspection against the actual traffic to/from this server.
The particular URL that was flagged ended in a .br (Brazilian) domain. I am in the US and do not do ANY business with any .br sites or companies (AFAIK). So, I went ahead and blocked ALL .br domains through OpenDNS. Since then I have not seen the flagged domain come up in the DNS logs again (even as a blocked request); however, I have seen a great deal many other .br domains being blocked within OpenDNS as a result. And I see these repeat daily, except on days when I have my personal Windows PC shutdown for the day. These other domains appear to be mostly banking sites ending in .br, but none that I have any business with. When reviewing the OpenDNS logs I also saw a bunch of other foreign country addresses being resolved, so I went ahead blocked as many of those as I could as well.
Here is a list of all the country specific domain identifiers that I saw in the OpenDNS logs and subsequently set to always block in OpenDNS. This is not a complete list of country domains that I saw in those logs though, as the free version of OpenDNS only allows a finite amount of blocking to be defined.
-> .br .cz .de .eu .fr .hk .in .int .it .mx .ph .pl .pt .ru .tr .tw .us .za
Also, looking at OpenDNS stats, I seem to see a spike in the number of DNS requests every evening around 22:00 - 23:00. This is around the time (if not after) that we all go to sleep for the evening, so I would think there should not be much going on then.
I have Avast installed on my personal Windows PC and it is finding nothing. The ESET scanner running in Safe Mode with Networking also came up with nothing. But I have read the detection rate of this type of infection is fairly poor (abysmal is the word that was used). I also installed Malwarebytes, but not until after the fact. Malwarebytes reports the system as clean as well.
I am just about ready to give up and just reload the system drive entirely but I wanted to see if you all could confirm my suspicions that this PC is indeed the culprit.
I got the following from netstat just a few minutes ago (FYI -- "Genghis" is my PC's hostname)...
C:\WINDOWS\system32>netstat -sp tcp
TCP Statistics for IPv4
Active Opens = 26942
Passive Opens = 4603
Failed Connection Attempts = 755
Reset Connections = 11856
Current Connections = 23
Segments Received = 2653071
Segments Sent = 1434952
Segments Retransmitted = 55713
Proto Local Address Foreign Address State
TCP 127.0.0.1:49909 Genghis:49910 ESTABLISHED
TCP 127.0.0.1:49910 Genghis:49909 ESTABLISHED
TCP 127.0.0.1:54317 Genghis:54318 ESTABLISHED
TCP 127.0.0.1:54318 Genghis:54317 ESTABLISHED
TCP 127.0.0.1:54320 Genghis:54321 ESTABLISHED
TCP 127.0.0.1:54321 Genghis:54320 ESTABLISHED
TCP 192.168.0.102:49680 sea13:http ESTABLISHED
TCP 192.168.0.102:56441 msnbot-65-52-108-207:https ESTABLISHED
TCP 192.168.0.102:59428 ec2-54-235-185-167:https CLOSE_WAIT
TCP 192.168.0.102:59429 ec2-54-235-185-167:https CLOSE_WAIT
TCP 192.168.0.102:59897 r-148-58-45-5:http CLOSE_WAIT
TCP 192.168.0.102:60746 ec2-54-235-185-167:https CLOSE_WAIT
TCP 192.168.0.102:61199 lax17s04-in-f37:https TIME_WAIT
TCP 192.168.0.102:61212 184.108.40.206:https TIME_WAIT
TCP 192.168.0.102:61213 220.127.116.11:https TIME_WAIT
TCP 192.168.0.102:61215 ec2-52-32-224-87:https ESTABLISHED
TCP 192.168.0.102:61216 18.104.22.168:https ESTABLISHED
TCP 192.168.0.102:61217 22.214.171.124:https ESTABLISHED
TCP 192.168.0.102:61218 126.96.36.199:https ESTABLISHED
TCP 192.168.0.102:61219 188.8.131.52:http ESTABLISHED
TCP 192.168.0.102:61220 184.108.40.206:http ESTABLISHED
TCP 192.168.0.102:61221 220.127.116.11:http ESTABLISHED
TCP 192.168.0.102:61222 18.104.22.168:http ESTABLISHED
TCP 192.168.0.102:61223 22.214.171.124:http ESTABLISHED
TCP 192.168.0.102:61224 126.96.36.199:http ESTABLISHED
TCP 192.168.0.102:61225 188.8.131.52:http ESTABLISHED
TCP 192.168.0.102:61228 184.108.40.206:http TIME_WAIT
TCP 192.168.0.102:61229 220.127.116.11:https TIME_WAIT
TCP 192.168.0.102:61230 18.104.22.168:https TIME_WAIT
TCP 192.168.0.102:61231 22.214.171.124:https TIME_WAIT
I had a couple of browser windows open with reddit, youtube, and some Asus pages loaded at the time. I will restart this system after posting and rerun the above command and post the new results to see if that cleans up any of these connections.
Thanks in advance for your help with this!!