SPECIAL STATE PROTECTION SERVICE
SPECIAL COMMUNICATION AND INFORMATION
SECURITY STATE AGENCY

COMPUTER EMERGENCY
RESPONSE CENTER

Report Incident

Articles > What should you do if your IP address is registered in the list of infected IP addresses?

1 May 2015

Text transitions:
1. Finding the infected system (computer) at the infected IP
2. Detection and neutralization of malware in the infected computers
3. Malware's species and functionality
 

 

1. Finding the infected system (computer) at the infected IP 

 

If several computers use your IP (public ip) address accessing to internet (NAT), you must have a system that logs on to internet the connected devices to your network so you can find out which system or computer has a malware. If you have a system that logs your internal network, you can easily identify the infected equipment by meeting your internal logs in the infected IP.

Let's briefly explain the information used in the log for the comparison:

Infected IP | Date ±0GMT (Unix UTC) | Type | C&C IP | Connection IP | Connection Port | Local Port | Protocol
123.100.100.123|04.04.2015 21:22:28 ±00:00 (1428164548)|zeroaccess||68.227.140.229|16464|10520|udp

Infected IP: Indicates an IP address infected by malware, your outgoing IP address. (Ex. 123.100.100.123)
Date +0 GMT (Unix UTC): Displays the last detection history of the infection based on the 0-meridian. You need to add +4 / +5 by default or you can define for a more precise timing for the Unix UTC timeframe recorded in brackets. (Ex. 04.04.2015 21:22:28 ±00:00 (1428164548)
Type: Type and kind of infected pest. (You can get more information about those types of malware at the end of the article.) (Ex. zeroaccess)
C&C IP: A central server connection (Command / Control Center) that manages a malware. (Ex. C&C IP is blank, because it is not registered)
Connection IP: IP address of the remote connection that malware establishes from your computer. (Ex.  68.227.140.229)
Connection port: The port number which malware used in the IP address on remote connection. (Ex. 16464)
Local port: The port number used by the pest to exit the internal system during external connection. (Ex. 10520)
Protocol: Type of the protocol used by malware. (Ex. udp)

NOTE:

* If you have received a warning about your IP address infection using the "Infected IP" service and if you are not an expert on the field please immediately inform Inform the responsible persons.

* If you are a dynamic IP user and the infection does not coincide with the time you use your IP, ie an another user have used that public IP during infection, there is no need to worry about the infection. But in such cases, please also provide the relevant Internet provider about Log and IP..

 

2. Detection and neutralization of malware in the infected computers

To find and neutralize malware on an infected computer, first we recommend that you use Antivirus software on your personal computer. Antivirus software is the first step you can take to protect (real-time) your computers from malware. Some users install an antivirus software after infection and emphasize that they have no effect. This is normal. Because most antiviruses identify pests during execution and because of pests may later change the format and work principle and show themselves as a normal process of the machine, it is sometimes impossible detecting them by an antivirus. Today antivirus companies are developing new methods for detecting and combating malware, not just during the execution, but also considering pests' behavior in subsequent processes. However, many dangerous pests also use certain methods to prevent any antivirus software from being installed to the system. Therefore, it is necessary to install Antivirus software on time to the system, ie before infection, and update its signature base constantly. It should not be forgotten that the main strength of an antivirus is its signature base. Antivirus will not be able to fight new pests unless you update the signature base.

Suspicion: Suspicion is one of the methods used to identify viruses. So what should we suspect?!
First of all, avoid using the sites you don't know when surfing the web. Additionally, use software that provides web reputation for your browsers. Such programs are intended to inform you of the dangerous websites you have registered. There are various plugins and online services for this:

TrendMicro http://global.sitesafety.trendmicro.com/

Mcafee SiteAdvisor software. https://www.siteadvisor.com/

We advise you to review the processes in the infected computer to find malware. If you encounter a streamlined process, you should send the "Executable" file of that process to Antivirus Labs. We encourage you to use the Process Explorer software from SysInternals.

https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

In addition, you can use Process Explorer to manually analyze and retrieve important process-related information.

Malware softwares write themselves to Autorun to launch them during the next system startup. Use the "Autorun" tool of Sysinternals to collect information about software running during Autorun.
https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

The Rootkit Struggle: Rootkits are the name given to the pests that are capable of hiding themselves in the system.
For more information: http://en.wikipedia.org/wiki/Rootkit

The following list gives you examples of tools to determine "Rootkits".
http://www.gmer.net/
https://www.malwarebytes.org/antirootkit/

Rescue Disk: Sometimes, malicious software fails to prevent Antivirus and other software applications from being used against them. The best way out of these situations is the Rescue Discs. Rescue Discs can scan viruses directly on hard disk without the need for system loading. You can also use it in the fight against Rootkits. You can find and download the "rescue disk" of the antivirus software you are using. You can use the following resources to do this.

For downloading and more information:

https://support.kaspersky.ru/viruses/rescuedisk
http://www.avira.com/en/download/product/avira-rescue-system
https://www.avast.com/faq.php?article=AVKB114
http://www.eset.com/int/support/sysrescue/

 

3. Malware's species and functionality:

conficker is a computer worm which has been infected since 2008. Malware was written in Microsoft Visual C++ programming language. 12.000.000 computers have been infected since 2009.

zeusblight was established in 2007. It is intended for attacks on servers and capture of data. Was written in C ++ programming language. Designed for Windows operating systems.

zeroaccess - can steal your bank accounts. So far, 2.000.000 computers have been infected.

darkmayiler - It is a pernicious software that contains a malware software inside and sends a large amount of spam to the internal computers.

palevo - is a backdoor-type malware which connects the infected computer to the IRC network and provides interference to external parties.

cutwail - steals mails, FTP passwords, browsers' stored passwords and can also attack DDOS.

gamut - is a pernicious software which sends a large amount of spam to the internal computers that are a malware software pack.

slenfbot - is a backdoor-type malware which connects the infected computer to the IRC network and provides interference to external parties.

dyre - is a malware which steals bank accounts.

wapomi - is intended for infection of files. Research has shown that the virus has loaded and activated several files over the Internet

Gamarue - is a very dangerous trojan (botnet) type. Runs as rootkit to avoid being identified on the system. It uses extremely sharp encryption, decryption and shorthand techniques to hide some modules

kins - The next dangerous botnet. It is recognized as a variant of Zeus botnet. It is especially coded to hurt banks. It also works through the RDP. Can use DLL to work on various plugins

tinba - This Trojan has targeted banking systems. According to sources coded by Turkish hackers. Intelligence is intended to acquire harrier data. So the keylogger is designed to steal login and password from browsers using Hook techniques.

shiz - operates as a backdoor in the system. The main objective is to accept remote access and transfer system administration to a remote connection.

torpig - is considered very dangerous rootkit. With the help of rootkit it is able to avoid Antivirus softwares. It is used for data theft in the system. Allows the user to access the system's passwords and other information during an infection, so that the system can be accessed for a full access. So, in November 2008, Torpig was enable to steal 500.000 online banking user passwords.

kelihos - botnet works from harmful P2P. In addition, it was detected that it had sent a many SPAM-related mails. The main purpose is to send spam-related messages, used for attacks against DDOS atack and bitcoin.

dorkbot - is from a worm family. Basic infection methods are social networks - facebook, twitter, usb discs, and spoken recording programs. It works as a botnet (COMMAND & CONTROL) after infection. Committed from inappropriate content on social networks.

gozi - is a trojan program. The main purpose is to seize encrypted data. Data stolen along with SSL-TLS is stored on the server database. Widespread owing to vulnerabilities in Internet explorers.

other - other.exe is not an important file for windows but it often creates problems. It is known that it can monitor other file applications.

dridex - This Trojan unlike than others spreads by using MS Word macros. Is considered a Dridex banking trojan and the main target is considered the US users.

bezigate - This backdoor is loaded on the system without any user permissions. After installing, a large number of infected spyware packages are loaded on your computer.

redyms - malicious Trojan developed for the Windows operating system. It can intervene to the operation of antiviruses on the computer for running its functions.

misc - Misc.exe combines different types of EXE file and has been developed for Windows operating system by IMSI.