Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ESET Caught subtle executions of Javascript files coming from AWS


  • This topic is locked This topic is locked
12 replies to this topic

#1 Resonce

Resonce

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 04 October 2017 - 05:52 AM

My ESET Smart Security has caught a very sneaky execution of around 7 javascript files coming from 54.192.127.86 which iplocation.net tells me that it's from Amazon Web Services. I also did a bunch of inquiries of various TCP connection IPs that have no image name and to my surprise, most of them are from Amazon Web Services, if not, from places that I shouldn't be expecting traffic from.

 

I knew something was fishy as I was having weird activity as of late like my mouse moving randonly but the movement doesn't feel completely mouse glitching.
 
Do not that whenever I start windows without anything open yet, I suddenly get a bunch of 443 connects and most of which comes from Amazon web services which is real weird.
 
They disappear and stop for a moment as soon as I block all network traffic using my ESET but these suspicious connections all come back as soon as I open up ANY browser, even Steam Big Picture Browser much to my dismay...
 
I start trying to observe every connection that my firewall intercepts and I happen to run across something fishy so I looked it up and it seems it is a virus/worm or whatever you call it.
 
it's too bad that it was late for me to know that the nestat can be used in a way that it saves into a text file automatically so I wasn't able to save all the entries.
 
  TCP    192.168.13.101:60135   ec2-52-4-174-137:https  ESTABLISHED     7116
  TCP    192.168.13.101:60138   a23-51-209-108:https   ESTABLISHED     7116
  TCP    192.168.13.101:60151   a23-37-151-96:https    ESTABLISHED     7116
  TCP    192.168.13.101:60169   53:https               LAST_ACK        7116
  TCP    192.168.13.101:60170   53:https               TIME_WAIT       0
  TCP    192.168.13.101:60171   a23-211-97-73:https    ESTABLISHED     7116
  TCP    192.168.13.101:60175   151.101.90.49:https    ESTABLISHED     7116
  TCP    192.168.13.101:60176   151.101.90.49:https    ESTABLISHED     7116
  TCP    192.168.13.101:60178   ec2-52-69-51-126:https  ESTABLISHED     7116
  TCP    192.168.13.101:60180   a23-211-97-73:https    ESTABLISHED     7116
  TCP    192.168.13.101:60190   ec2-52-78-173-103:https  ESTABLISHED     7116
  TCP    192.168.13.101:60191   ec2-52-78-173-103:https  ESTABLISHED     7116
  TCP    192.168.13.101:60204   s-prd-umpxl-adcom-scd-a:https  ESTABLISHED     7
116
  TCP    192.168.13.101:60205   s-prd-umpxl-adcom-scd-a:https  ESTABLISHED     7
116
  TCP    192.168.13.101:60214   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60217   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60220   s-prd-umpxl-adcom-scd-blue-b:https  TIME_WAIT
    0
  TCP    192.168.13.101:60221   s-prd-umpxl-adcom-scd-blue-b:https  TIME_WAIT
    0
  TCP    192.168.13.101:60222   unknown:https          TIME_WAIT       0
  TCP    192.168.13.101:60223   unknown:https          TIME_WAIT       0
  TCP    192.168.13.101:60224   70:https               TIME_WAIT       0
  TCP    192.168.13.101:60225   70:https               TIME_WAIT       0
  TCP    192.168.13.101:60259   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60264   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60281   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60282   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60290   96:https               LAST_ACK        7116
  TCP    192.168.13.101:60291   96:https               TIME_WAIT       0
  TCP    192.168.13.101:60299   kix05s01-in-f3:https   ESTABLISHED     4328
  TCP    192.168.13.101:60301   kix05s01-in-f3:https   CLOSE_WAIT      6740
  TCP    192.168.13.101:60302   kix05s01-in-f3:https   ESTABLISHED     6740
  TCP    192.168.13.101:60303   151.101.193.69:https   ESTABLISHED     4328
  TCP    192.168.13.101:60304   151.101.193.69:https   ESTABLISHED     4328
  TCP    192.168.13.101:60305   kix06s02-in-f10:https  ESTABLISHED     4328
  TCP    192.168.13.101:60307   a23-51-209-187:https   ESTABLISHED     4328
  TCP    192.168.13.101:60309   151.101.1.69:https     ESTABLISHED     4328
  TCP    192.168.13.101:60310   151.101.1.69:https     ESTABLISHED     4328
  TCP    192.168.13.101:60314   kix05s01-in-f2:https   LAST_ACK        7116
  TCP    192.168.13.101:60315   kix05s01-in-f2:https   TIME_WAIT       0
  TCP    192.168.13.101:60316   kix05s01-in-f2:https   TIME_WAIT       0
  TCP    192.168.13.101:60317   a23-51-209-187:https   ESTABLISHED     4328
  TCP    192.168.13.101:60318   a23-51-209-187:https   ESTABLISHED     4328
  TCP    192.168.13.101:60319   kix05s01-in-f2:https   ESTABLISHED     4328
  TCP    192.168.13.101:60323   a23-37-148-140:https   ESTABLISHED     4328
  TCP    192.168.13.101:60324   a23-37-148-140:https   ESTABLISHED     4328
  TCP    192.168.13.101:60326   kix05s01-in-f14:https  ESTABLISHED     4328
  TCP    192.168.13.101:60327   151.101.1.69:https     ESTABLISHED     4328
  TCP    192.168.13.101:60328   151.101.1.69:https     ESTABLISHED     4328
  TCP    192.168.13.101:60329   kix05s01-in-f2:https   ESTABLISHED     4328
  TCP    192.168.13.101:60330   kix05s01-in-f2:https   ESTABLISHED     4328
  TCP    192.168.13.101:60331   stackoverflow:https    ESTABLISHED     4328
  TCP    192.168.13.101:60332   ec2-23-21-117-64:https  CLOSE_WAIT      4328
  TCP    192.168.13.101:60333   ec2-23-21-117-64:https  CLOSE_WAIT      4328
  TCP    192.168.13.101:60334   server-54-192-127-54:https  ESTABLISHED     4328
 
  TCP    192.168.13.101:60338   kix05s01-in-f97:https  ESTABLISHED     4328
  TCP    192.168.13.101:60339   kix05s01-in-f97:https  ESTABLISHED     4328
  TCP    192.168.13.101:60340   kix05s01-in-f97:https  ESTABLISHED     4328
  TCP    192.168.13.101:60341   kix05s01-in-f2:https   ESTABLISHED     4328
  TCP    192.168.13.101:60342   kix05s01-in-f2:https   ESTABLISHED     4328
  TCP    192.168.13.101:60346   ec2-52-198-223-89:https  CLOSE_WAIT      4328
  TCP    192.168.13.101:60347   ec2-52-198-223-89:https  CLOSE_WAIT      4328
  TCP    192.168.13.101:60348   ec2-52-198-223-89:https  CLOSE_WAIT      4328
  TCP    192.168.13.101:60351   ec2-13-115-35-12:https  CLOSE_WAIT      4328
  TCP    192.168.13.101:60352   ec2-13-115-35-12:https  CLOSE_WAIT      4328
  TCP    192.168.13.101:60353   ec2-13-115-35-12:https  CLOSE_WAIT      4328
  TCP    192.168.13.101:60355   server-54-192-127-224:https  ESTABLISHED     432
8
  TCP    192.168.13.101:60356   kix05s01-in-f102:https  ESTABLISHED     4328
  TCP    192.168.13.101:60357   kix05s01-in-f102:https  ESTABLISHED     4328
  TCP    192.168.13.101:60360   ec2-54-64-10-38:https  CLOSE_WAIT      4328
  TCP    192.168.13.101:60361   ec2-54-64-10-38:https  CLOSE_WAIT      4328
  TCP    192.168.13.101:60362   ec2-54-64-10-38:https  ESTABLISHED     4328
  TCP    192.168.13.101:60363   kix05s01-in-f102:https  ESTABLISHED     4328
  TCP    192.168.13.101:60364   kix06s01-in-f226:https  ESTABLISHED     4328
  TCP    192.168.13.101:60365   kix06s01-in-f226:https  ESTABLISHED     4328
  TCP    192.168.13.101:60366   kix05s01-in-f102:https  ESTABLISHED     4328
  TCP    192.168.13.101:60367   kix06s01-in-f226:https  ESTABLISHED     4328
  TCP    192.168.13.101:60418   ec2-52-198-184-96:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60419   ec2-52-198-184-96:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60420   ec2-52-193-24-150:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60422   ec2-52-221-139-158:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60423   ec2-52-221-139-158:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60438   50.57.31.206:https     ESTABLISHED     7116
  TCP    192.168.13.101:60439   50.57.31.206:https     ESTABLISHED     7116
  TCP    192.168.13.101:60440   ec2-46-137-177-35:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60441   ec2-46-137-177-35:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60444   ec2-54-152-7-35:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60445   ec2-54-152-7-35:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60446   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60449   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60452   50.57.31.206:https     ESTABLISHED     7116
  TCP    192.168.13.101:60453   ec2-46-137-177-35:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60454   ec2-54-152-7-35:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60455   ec2-46-137-177-35:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60456   ec2-54-152-7-35:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60458   ec2-46-137-177-35:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60459   ec2-46-137-177-35:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60462   a:https                ESTABLISHED     7116
  TCP    192.168.13.101:60463   a:https                ESTABLISHED     7116
  TCP    192.168.13.101:60472   ec2-52-87-130-243:https  ESTABLISHED     7116
  TCP    192.168.13.101:60473   ox-173-241-248-220:https  ESTABLISHED     7116
  TCP    192.168.13.101:60474   ox-173-241-248-220:https  ESTABLISHED     7116
  TCP    192.168.13.101:60502   74.117.199.102:https   TIME_WAIT       0
  TCP    192.168.13.101:60506   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60507   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60509   104.24.247.16:https    ESTABLISHED     7116
  TCP    192.168.13.101:60510   104.24.247.16:https    ESTABLISHED     7116
  TCP    192.168.13.101:60514   ec2-52-68-174-194:https  ESTABLISHED     7116
  TCP    192.168.13.101:60515   ec2-52-68-174-194:https  ESTABLISHED     7116
  TCP    192.168.13.101:60516   92:https               ESTABLISHED     7116
  TCP    192.168.13.101:60517   92:https               ESTABLISHED     7116
  TCP    192.168.13.101:60519   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60525   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60529   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60532   ec2-52-78-173-103:https  ESTABLISHED     7116
  TCP    192.168.13.101:60539   104.28.8.237:http      TIME_WAIT       0
  TCP    192.168.13.101:60540   104.28.8.237:http      TIME_WAIT       0
  TCP    192.168.13.101:60541   104.28.8.237:https     ESTABLISHED     4008
  TCP    192.168.13.101:60546   104.28.8.237:https     ESTABLISHED     4008
  TCP    192.168.13.101:60547   104.28.8.237:https     ESTABLISHED     4008
  TCP    192.168.13.101:60548   104.28.8.237:https     ESTABLISHED     4008
  TCP    192.168.13.101:60549   104.28.8.237:https     ESTABLISHED     4008
  TCP    192.168.13.101:60550   104.28.8.237:https     ESTABLISHED     4008
  TCP    192.168.13.101:60551   ec2-35-165-225-32:https  ESTABLISHED     4008
  TCP    192.168.13.101:60552   ec2-35-165-225-32:https  ESTABLISHED     4008
  TCP    192.168.13.101:60553   23.111.10.140:https    ESTABLISHED     4008
  TCP    192.168.13.101:60554   23.111.10.140:https    CLOSE_WAIT      4008
  TCP    192.168.13.101:60555   192.229.237.25:https   ESTABLISHED     4008
  TCP    192.168.13.101:60556   192.229.237.25:https   ESTABLISHED     4008
  TCP    192.168.13.101:60557   kix06s01-in-f232:https  CLOSE_WAIT      4008
  TCP    192.168.13.101:60558   kix06s01-in-f232:https  ESTABLISHED     4008
  TCP    192.168.13.101:60559   151.101.188.134:https  ESTABLISHED     4008
  TCP    192.168.13.101:60560   151.101.188.134:https  ESTABLISHED     4008
  TCP    192.168.13.101:60565   104.244.42.200:https   ESTABLISHED     4008
  TCP    192.168.13.101:60566   104.244.42.200:https   ESTABLISHED     4008
  TCP    192.168.13.101:60567   117.18.237.29:http     ESTABLISHED     4008
  TCP    192.168.13.101:60568   104.16.77.166:https    ESTABLISHED     4008
  TCP    192.168.13.101:60569   104.16.77.166:https    ESTABLISHED     4008
  TCP    192.168.13.101:60570   104.16.77.166:https    ESTABLISHED     4008
  TCP    192.168.13.101:60571   151.101.128.134:https  ESTABLISHED     4008
  TCP    192.168.13.101:60572   151.101.128.134:https  ESTABLISHED     4008
  TCP    192.168.13.101:60573   srv-sg-sgp-2:https     CLOSE_WAIT      4008
  TCP    192.168.13.101:60574   srv-sg-sgp-2:https     CLOSE_WAIT      4008
  TCP    192.168.13.101:60576   104.16.77.166:https    CLOSE_WAIT      4008
  TCP    192.168.13.101:60577   104.16.77.166:https    CLOSE_WAIT      4008
  TCP    192.168.13.101:60578   104.16.77.166:https    CLOSE_WAIT      4008
  TCP    192.168.13.101:60579   151.101.188.249:https  ESTABLISHED     4008
  TCP    192.168.13.101:60580   151.101.188.249:https  ESTABLISHED     4008
  TCP    192.168.13.101:60581   151.101.52.64:https    ESTABLISHED     4008
  TCP    192.168.13.101:60582   151.101.52.64:https    ESTABLISHED     4008
  TCP    192.168.13.101:60583   xx-fbcdn-shv-01-nrt1:https  ESTABLISHED     4008
 
  TCP    192.168.13.101:60584   xx-fbcdn-shv-01-nrt1:https  ESTABLISHED     4008
 
  TCP    192.168.13.101:60585   kix05s01-in-f14:https  ESTABLISHED     4008
  TCP    192.168.13.101:60586   kix05s01-in-f14:https  CLOSE_WAIT      4008
  TCP    192.168.13.101:60587   23.111.10.148:https    ESTABLISHED     4008
  TCP    192.168.13.101:60588   23.111.10.148:https    ESTABLISHED     4008
  TCP    192.168.13.101:60589   edge-star-mini-shv-01-nrt1:https  ESTABLISHED
  4008
  TCP    192.168.13.101:60590   edge-star-mini-shv-01-nrt1:https  ESTABLISHED
  4008
  TCP    192.168.13.101:60591   xx-fbcdn-shv-01-nrt1:https  ESTABLISHED     4008
 
  TCP    192.168.13.101:60592   xx-fbcdn-shv-01-nrt1:https  ESTABLISHED     4008
 
  TCP    192.168.13.101:60593   kix05s01-in-f109:https  CLOSE_WAIT      4008
  TCP    192.168.13.101:60594   kix05s01-in-f109:https  ESTABLISHED     4008
  TCP    192.168.13.101:60598   ec2-54-200-150-117:https  ESTABLISHED     4008
  TCP    192.168.13.101:60599   kix05s01-in-f3:https   CLOSE_WAIT      4008
  TCP    192.168.13.101:60600   kix05s01-in-f3:https   ESTABLISHED     4008
  TCP    192.168.13.101:60602   151.101.52.64:https    ESTABLISHED     4008
  TCP    192.168.13.101:60603   151.101.52.64:https    ESTABLISHED     4008
  TCP    192.168.13.101:60604   151.101.188.134:https  ESTABLISHED     4008
  TCP    192.168.13.101:60605   151.101.188.134:https  ESTABLISHED     4008
  TCP    192.168.13.101:60606   jptk05:https           CLOSE_WAIT      4008
  TCP    192.168.13.101:60607   jptk05:https           CLOSE_WAIT      4008
  TCP    192.168.13.101:60608   a23-44-155-27:http     ESTABLISHED     4008
  TCP    192.168.13.101:60609   a23-37-151-96:https    CLOSE_WAIT      4008
  TCP    192.168.13.101:60610   a23-37-151-96:https    ESTABLISHED     4008
  TCP    192.168.13.101:60611   63.251.252.12:https    ESTABLISHED     4008
  TCP    192.168.13.101:60612   63.251.252.12:https    CLOSE_WAIT      4008
  TCP    192.168.13.101:60613   ec2-13-228-8-237:https  ESTABLISHED     4008
  TCP    192.168.13.101:60614   ec2-13-228-8-237:https  ESTABLISHED     4008
  TCP    192.168.13.101:60615   65:https               ESTABLISHED     4008
  TCP    192.168.13.101:60616   65:https               ESTABLISHED     4008
  TCP    192.168.13.101:60617   207.38.110.62:https    CLOSE_WAIT      7116
  TCP    192.168.13.101:60618   207.38.110.62:https    CLOSE_WAIT      7116
  TCP    192.168.13.101:60620   ec2-54-200-150-117:https  ESTABLISHED     4008
  TCP    192.168.13.101:60621   server-52-85-5-224:http  ESTABLISHED     4008
  TCP    192.168.13.101:60622   ec2-54-200-150-117:https  ESTABLISHED     4008
  TCP    192.168.13.101:60623   ec2-54-68-1-191:https  ESTABLISHED     4008
  TCP    192.168.13.101:60624   ec2-54-68-1-191:https  ESTABLISHED     4008
  TCP    192.168.13.101:60625   kix03s01-in-f162:https  ESTABLISHED     4008
  TCP    192.168.13.101:60626   kix03s01-in-f162:https  CLOSE_WAIT      4008
  TCP    192.168.13.101:60627   ec2-34-234-185-154:https  ESTABLISHED     4008
  TCP    192.168.13.101:60628   ec2-34-234-185-154:https  ESTABLISHED     4008
  TCP    192.168.13.101:60629   119:https              CLOSE_WAIT      4008
  TCP    192.168.13.101:60630   119:https              ESTABLISHED     4008
  TCP    192.168.13.101:60631   ec2-52-72-156-243:https  ESTABLISHED     4008
  TCP    192.168.13.101:60632   ec2-52-72-156-243:https  ESTABLISHED     4008
  TCP    192.168.13.101:60634   265:https              CLOSE_WAIT      7116
  TCP    192.168.13.101:60635   265:https              CLOSE_WAIT      7116
  TCP    192.168.13.101:60636   207.38.110.62:https    CLOSE_WAIT      7116
  TCP    192.168.13.101:60637   207.38.110.62:https    CLOSE_WAIT      7116
  TCP    192.168.13.101:60638   bd:https               CLOSE_WAIT      7116
  TCP    192.168.13.101:60639   bd:https               CLOSE_WAIT      7116
  TCP    192.168.13.101:60640   207.38.110.62:https    CLOSE_WAIT      7116
  TCP    192.168.13.101:60641   207.38.110.62:https    CLOSE_WAIT      7116
  TCP    192.168.13.101:60642   ec2-34-194-78-111:https  ESTABLISHED     4008
  TCP    192.168.13.101:60643   ec2-34-194-78-111:https  ESTABLISHED     4008
  TCP    192.168.13.101:60644   adtechus-ads-adtech-scd-blue-a:https  CLOSE_WAIT
      7116
  TCP    192.168.13.101:60645   adtechus-ads-adtech-scd-blue-a:https  CLOSE_WAIT
      7116
  TCP    192.168.13.101:60646   ec2-13-114-227-58:https  ESTABLISHED     4008
  TCP    192.168.13.101:60647   ec2-13-114-227-58:https  ESTABLISHED     4008
  TCP    192.168.13.101:60650   90:https               CLOSE_WAIT      7116
  TCP    192.168.13.101:60651   90:https               CLOSE_WAIT      7116
  TCP    192.168.13.101:60652   ec2-52-6-17-99:https   CLOSE_WAIT      7116
  TCP    192.168.13.101:60653   ec2-52-6-17-99:https   CLOSE_WAIT      7116
  TCP    192.168.13.101:60654   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60655   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60658   67:https               CLOSE_WAIT      7116
  TCP    192.168.13.101:60659   67:https               CLOSE_WAIT      7116
  TCP    192.168.13.101:60660   oneads-sspums-adtech-scd-blue-b:https  ESTABLISH
ED     7116
  TCP    192.168.13.101:60661   oneads-sspums-adtech-scd-blue-b:https  TIME_WAIT
       0
  TCP    192.168.13.101:60663   oneads-sspums-adtech-scd-blue-b:https  ESTABLISH
ED     7116
  TCP    192.168.13.101:60664   53:https               CLOSE_WAIT      7116
  TCP    192.168.13.101:60665   53:https               ESTABLISHED     7116
  TCP    192.168.13.101:60666   63:https               ESTABLISHED     7116
  TCP    192.168.13.101:60667   63:https               ESTABLISHED     7116
  TCP    192.168.13.101:60668   ec2-52-69-127-11:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60669   ec2-52-69-127-11:https  CLOSE_WAIT      7116
  TCP    192.168.13.101:60671   oneads-sspums-adtech-scd-blue-b:https  CLOSE_WAI
T      7116
  TCP    192.168.13.101:60673   209.15.36.33:https     CLOSE_WAIT      7116
  TCP    192.168.13.101:60674   209.15.36.33:https     CLOSE_WAIT      7116
  TCP    192.168.13.101:60679   oneads-sspums-adtech-scd-blue-b:https  ESTABLISH
ED     7116
  TCP    192.168.13.101:60681   64.94.116.170:https    SYN_SENT        7116
  TCP    192.168.13.101:60682   64.94.116.170:https    SYN_SENT        7116
  TCP    192.168.13.101:60683   64.94.116.170:https    SYN_SENT        7116
  TCP    192.168.13.101:60684   pr-bh-2:https          CLOSE_WAIT      7116
  TCP    192.168.13.101:60685   pr-bh-2:https          CLOSE_WAIT      7116
  TCP    192.168.13.101:60686   64.94.116.170:https    SYN_SENT        7116
  TCP    192.168.13.101:60688   64.94.116.170:https    SYN_SENT        7116
 
C:\Users\Minas Tirith>
 
I suspect I have already been infiltrated quite some time ago already.
 
I caught a blank process using up a chunk of my net last month utilizing remote port 8080 and i solved it by making a new user and ensuring startup is clean.
 
it was good for quite a while but I started getting weird mouse movements and sometimes a different button in my keyboard is pressed as I am using it.
 
I only got Malwarebytes as my antivirus solution back then.
 
now, because of that happening in the past, I got ESET Smart security up but no luck finding the source.
 
With this at hand, I've already prepared a bunch of things to help solve this infection.
 
If anyone out there could help me find the culprit, I can never give enough thanks to show my gratitude.
 
Note for the pictures: Please don't mind IMG_20171004_134803.exe as it's Farbar Recovery Scan Tool executable that I just merely renamed to avoid potential operation sabotage by whoever is attacking me.
 
My system is Windows 7 Ultimate 64-bit running on a Desktop PC.

Attached Files


Edited by Resonce, 04 October 2017 - 07:18 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,733 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:06 PM

Posted 09 October 2017 - 05:55 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/659284 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Resonce

Resonce
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 10 October 2017 - 11:24 AM

I have decided to buy a new SSD as well as reformat my PC but it seems the intruding attacks are still ongoing and I think it must be because I forgot to disable autorun for and the virus must've transferred itself automatically after autorun activated on my suspectedly infected HDD.
 
Thus, I have ran four scans and did my best to cover all the weird connection activity. Oddly enough, the AWS connections seem to have been trying to lay low after it seems to have noticed that I was deliberately trying to establish connections to it so I did my best to provide as much coverage as possible. My friend tells me that I am just being paranoid despite asking for confirmation on the presence of aws connections in the game that we both play but I sincerely believe something very sneaky is out there spying/stealing on me. I however, would be more than glad if I really was just being paranoid.

The results below are from the 4th scan, I'll attach the results of the other scans as well as screenshots to help diagnose this problem. Also, Windows CD/DVD is available to be of use for this problem.
 
NOTE: The FRST suddenly updated on its own by the time that I was gonna use it to scan for the third time so I deleted it and redownloaded for the 4th scan.
 
EDIT: Trying so hard to get the FRST log in here but I'm getting "You do not have permission for that action." "OTL
 
I'm just attaching everything, I hope you don't mind. 

Attached Files


Edited by Resonce, 10 October 2017 - 11:29 AM.


#4 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:12:06 PM

Posted 10 October 2017 - 08:54 PM

Hi Resonce,

Thank you for the logs; I'll look at them now. As I am still in training, my replies must be reviewed before they are posted, so there will be a small delay in my replies.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#5 Resonce

Resonce
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 10 October 2017 - 11:58 PM

No problem! I am glad to know that it's finally my turn to get some help

This problem has been bothering me as of late and it's as if I am the only target of the attacker as the methods being utilized adapt over time according to my activity involving mitigation of its attacks.

 

In all honesty I would like to ask some help blocking all connections from AWS on my system if finding the source will take a long while as I don't really need it in what I mostly do with my PC .__.



#6 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:12:06 PM

Posted 13 October 2017 - 09:04 AM

Hi Resonce,

Your computer is not infected. The connections you are seeing to Amazon Web Services are completely normal. An extreme amount of companies use AWS to host their servers and other web content, and the normal programs on your computer are making these connections.

The IP address in your first post is used as a content delivery network, which means many companies all host their files on it. Did ESET give you a more specific reason for blocking the traffic? If I had to guess, it was likely a bad advertisement or a scareware-type site, but nothing to stay concerned about.
 

I have decided to buy a new SSD as well as reformat my PC but it seems the intruding attacks are still ongoing and I think it must be because I forgot to disable autorun for and the virus must've transferred itself automatically after autorun activated on my suspectedly infected HDD.


Nothing will ever silently execute from a hard drive when connected. Disks can suggest that you run a program, but cannot force you to. I think you reinstalled your normal programs onto the new disk and they resumed making their normal connections.

I just found out that whatever exploited me is deliberately changing startup type of remote desktop services to automatic on every startup of my PC


Where do you see this, and what's the exact service name? If you have a screenshot that would also be useful.

In all honesty I would like to ask some help blocking all connections from AWS on my system if finding the source will take a long while as I don't really need it in what I mostly do with my PC .__.


Blocking AWS traffic would be non-trivial (they own a lot of IP ranges), but it would also make doing many things impossible on your computer. Many websites and programs you likely use every day rely on AWS. As you've noticed, Steam, Discord, and Avast all rely on AWS to function.

My advice is to not read into the network traffic of your computer. It will probably make you nervous for no reason. The issues you've described with your keyboard and mouse are likely minor hardware problems, not malware ones.

Do you have any remaining questions/comments/concerns?

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#7 Resonce

Resonce
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 14 October 2017 - 01:11 PM

After completely blocking the ip ranges from amazon that I suspect are suspicious, none of the weird activities that I've been encountering before have occured so far.
 
Also, what's really convincing me that something has been planted in me that's spying me is the fact that my game which is Closers KR or that CW.exe is connecting to api1.whatismyipaddress.com like isn't that impractical? They could easily know my ip address with me being connected to their game server. I also asked my friend and told me that connections to that api and to aws doesn't occur to them. We use the same operating system to boot. I also recall the connections doesn't occur before but only started shortly after I've made myself to always end process tree of my browser to forcefully terminate the suspicions connections to AWS going through it.
 
I did the blocking of ip ranges yesterday and after a reboot of my PC today, this time the Norton Security service isn't running by default despite the fact that it's set to run automatic. I discovered it as I noticed that the ip ranges that I blocked started appearing again and much to my surprise, Norton that was supposed to have already been up is apparently not running. I've provided a picture that shows that even the user itself can't even stop the bloody service and is supposed to run at startup by default.
 
Another thing is the fact that Remote Desktop Services always get set back to Automatic and Started after a reboot no matter how many times I set it to Disabled. I have provided a picture and highlighted it showing I have set it to Disabled. Every single time that my computer reboots, the service is already started and is back to being set as automatic.
 
These changes are way too suspicious for me to not believe that there is no hacker out there trying to exploit me/victimize me and maybe even the people close and previous to me.
 
I would gladly take any suggestions for finding professional help with regarding this matter, I would be delighted to have this annoyance tracked down and put behind bars.

Attached Files


Edited by Resonce, 14 October 2017 - 01:11 PM.


#8 Resonce

Resonce
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 15 October 2017 - 10:57 AM

UPDATE: after accidentally doing something to my PC

I stopped getting logs of firewall rules getting violated during the usual use of my PC today

And everything ram perfectly even without these weird AWS connections that couldn't even be identified. Will provided further updates if this goes on.



#9 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:12:06 PM

Posted 16 October 2017 - 10:47 AM

Hi Resonce,
 

After completely blocking the ip ranges from amazon that I suspect are suspicious, none of the weird activities that I've been encountering before have occured so far.


This is going to cause problems for you very soon when an application goes to use one of its legitimate servers and can't reach it.
 

I would gladly take any suggestions for finding professional help with regarding this matter


I would suggest this forum, particularly in this forum thread.
 

my game which is Closers KR or that CW.exe is connecting to api1.whatismyipaddress.com like isn't that impractical?


No, the local game might want its IP for various reasons. You are still reading too much into your network traffic. You are not qualified to determine that this traffic is malicious or even suspicious. In regards to your comparison to your friend, there are too many uncontrolled variables for it to be useful.

Fundamentally, two things are happening here: you are looking at the outputs of your computer, and I am looking at the inputs. There are no visible malicious inputs going "into" your computer, which means one of two things:
  • You are a powerful politician or otherwise a very attractive target for a very powerful entity, and they have decided to use previously unseen, advanced malware on you to steal all your secrets, which is able to hide from our tools and survive a reinstallation of your operating system; or
  • You are not infected.
I believe the former is happening.
 

Another thing is the fact that Remote Desktop Services always get set back to Automatic and Started after a reboot no matter how many times I set it to Disabled. I have provided a picture and highlighted it showing I have set it to Disabled. Every single time that my computer reboots, the service is already started and is back to being set as automatic.


Can you please go to Control Panel -> System and Security -> System, click on Remote settings, and take a screenshot of the dialog that appears?
 

I stopped getting logs of firewall rules getting violated during the usual use of my PC today


Can you please explain what firewall issues you were seeing?

Let me know if you have any other questions, comments, or concerns.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#10 Resonce

Resonce
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 18 October 2017 - 10:17 AM

Could you suggest me a good course of action? Cause at the rate of things I don't think we'll ever catch the source since this attack on mine constantly evolves and adapts according to my activity lest we establish a way for us to communicate real-time and do what needs to be done.

 

I've attached my remote settings as well as one of the logs in particular that I am suspicious of. Though looking at things, it seems XIGNCODE of Closers does utilize AWS. EDIT: Though I am not so sure of this as XIGNCODE is a game security module and getting denied internet connection should prevent playing of the game but apparently the game is unaffected despite being its connections prevented by my firewall.

 

Though what's suspicious here is the fact that I came to realize that before October 16 (where suspicious connections seemed to have stopped for a day) my User Account Control wasn't functioning at all and I realized just now since my UAC is working totally properly right now like regedit asks through UAC, opening up list of services shows UAC, clicking Play button on Closers launcher shows UAC, and many more...

 

I knew something doesn't feel right that time but I didn't give it enough attention.

 

sigh* the internet is so troublesome these days, finding peace is tough luck.

Attached Files


Edited by Resonce, 18 October 2017 - 05:42 PM.


#11 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:12:06 PM

Posted 20 October 2017 - 10:53 PM

Hi Resonce,

In your past posts, you have not directly addressed the fact I am saying your computer is not infected. I feel I should reiterate, for the third time, that there is no evidence your computer has any malware on it. Nothing you have described at any point in this thread makes me think you are infected, and nothing in the logs you have posted is malicious.

Additionally, you still really need to stop looking at the network traffic of your computer. You are scaring yourself because you don't know how to analyze the network traffic, and are trying to eliminate a threat that does not exist.
 

I've attached my remote settings as well as one of the logs in particular that I am suspicious of.

I believe Norton is setting this service to Automatic, not any malware. Other people have documented seeing this happen with Norton.

Based on the settings you've posted, this is a harmless change on Norton's part. The service won't allow people to remotely connect to your computer just by it starting.
 

Could you suggest me a good course of action? Cause at the rate of things I don't think we'll ever catch the source since this attack on mine constantly evolves and adapts according to my activity lest we establish a way for us to communicate real-time and do what needs to be done.

I would suggest calming down, removing the firewall rules you made, and following my advice above, which is to stop scaring yourself with your computer's network traffic. There is no sophisticated attack going on against you. Real-time communication will not help anyone.

If you have any questions, comments, or concerns, please let me know. But note that I can only tell you that you're not infected so many times.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!


#12 Resonce

Resonce
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 AM

Posted 22 October 2017 - 04:32 AM

If that's how it is seen with the logs then I can't help that, like I said this attack on mine constantly changes in behavior and I am not for sure if it evaded the farbar scans.

 

I may not be able to prove it to you but one thing's for certain is that my norton security service not starting on startup wasn't just coincidence as well as my mouse no longer moving erratically days after I blocked suspicious addresses.

 

I know I can't be helped without knowing what the problem is or if it even existed but in this case, then all I can rely on is myself to find a way until I am confident that I am safe.

 

Thank you for the time of trying to help me.



#13 iangcarroll

iangcarroll

  • Members
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, MI
  • Local time:12:06 PM

Posted 23 October 2017 - 08:56 AM

Hi Resonce,

While I don't think you will find anything, I wish you the best of luck. This thread will be closed shortly; if you have any other questions, please make a new topic in the appropriate forum and mention this one.

Ian Carroll https://ian.sh • Certly Inc
 
Member of the Bleeping Computer A.I.I. early response team!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users