Hello everyone! New here. Can you help me with this? 1. Customer's computer won't boot. Stated she bought into one of those online maintenance scam programs a year ago. The scammers won't respond to her efforts to contact them about non-booting. 2. Customer brings computer to me. I wipe all disk partitions and do a fresh install of Windows 10. 3. I take the computer back to her. Any and all attempts to get on the net are met with a warning about potential privacy invasion and being an insecure site. No matter what address is typed into the URL that same warning screen appears and does this with all browsers installed. 4. I take customer's computer to my shop and connect to the net without an such warnings. Seems normal. 5. I take my laptop to her house and connect to her modem/router and get no warnings and no problems surfing the net. 6. Clear all browsers of history and cache, cookies more than once. 7. I do a hardware reset of her Centurylink gateway defive, connect her computer and the warnings are back. Called Centurlink tech and they resent the gateway device from their end but warnings still there. 8. I spoofed the MAC address of her computer and warnings disappear. 9. Obviously, this problem is tied to her MAC address 10. My conclusion is that her gateway device has been hacked and there is some kind of DNS redirection going on. Questions: 1. Is my conclusion correct? Is this a DNS hack? 2. Since the MAC spoof worked, is the customer still at risk? 3. Should the router be replaced? Thanks. Networking and internet security are not my strong suit.
It appears her router/modem can be infected or somebody is actively uploading wrong data to router. Probably most popular method is to attack wireless network (Wifi). Does she connect to router through Wifi? If not, does Wifi is enabled on router? Does she use use strong Wifi password? Does her OS is patched against discovered vulnerabilities in WPA2 such as Krack attacks (probably is, because Windows 10 is going to update itself)? What protocol does Wifi use to protect connection - WEP (insecure), WPA2 (can be secure)? Even with disabled Wifi one can try to infect router through unpatched, publicly known vulnerabilities. I don't think spoofing is any protection. It is just temporary workaround. She certainly should have firewall for at least inbound connections. It can be built-in Windows firewall if configured properly. It will not protect her against against all threats, because her connections can still be tried to be intercepted. You can increase security by using encrypted and authenticated DNS via DnsCrypt or IBM's DNS providing DNS over TLS using Stubby. I didn't tested second option. For diagnosis I would start by using Ethernet (cable) connection and Wireshark program to see what happens in her network.
Did you try to update the firmware? http://internethelp.centurylink.com/internethelp/downloads-auto-firmware.html
No. Didn't try to update the firmware. There is a statement on Centurlink's website that states updating the firmware "will not change custom router settings." So I figured it wouldn' t help.
She normally uses the ethernet connection but we tried WIFI and get the same warning. Both router admin password and network password were changed to stronger from default but it did not change the result. What would you recommend for configuring the built-in Windows firewall? And what do you mean by, "or someone is actively uploading wrong data to router"?
This is very interesting. My first thoughts are, persistant Master Boot Record (MBR) virus. Formatting the drive will not remove the mbr so these types of virus are extremely persistant and will reinfect your new installation the first time you boot into it. To test, remove hard drive and boot her computer into a live linux CD and see what happens when you connect to the internet. If result is clean, you know it is probably hard drive based issue so look up stuff on removing master boot record virus. If it is that, you would best fix it by mounting that infected drive as mass storage from her computer while running the linux live cd, and use the linux tools to fix her MBR. So use a live linux distro that comes with the disk tools you need for that. That insures the virus cant infect another installation. Then reformat the drive, again from the linux CD and be sure there are no hidden partitions that remain.
Yeah, the Linux Live boot had occurred to me to. That would effectively restore the original MAC address to the computer without putting the Windows installation at risk but would allow me to see if the warning occurred outside of a Windows environment. I could also disable the internal drive in bios I imagine, at least temporarily. But two questions: 1. Would a computer that came from the factory with Windows 8 actually have a MBR? They're formatted with GPT aren't they? Or would the presence of a factory restore partition mean there might have been a MBR partition on the drive from the factory? 2. Specifically, what Linux tool would you use to wipe an MBR? Gparted? And if I did that, how I initial the drive so that Windows 10 could see it without connecting the drive externally? This is an all in one desktop and I really don't want to have to take it apart to get the drive out if at all possible.
mirimir, I have encouraged the customer to contact Centurylink and lean on them to get the gateway device replaced. I even outlined for her in writing a summary of what the problem was and what had been tried to remedy it so that she could make a case with Centurylink support that they needed to replace the box. I'm not sure how motivated she is to do this since my MAC address spoof got her up and running again, even though I reinforced to her it may only be a temporary workaround. She is also on a very limited income and might not be able to afford replacing the device if Centurylink won't pick up the tab. This is an ISP that is not very cooperative in my experience. If it ain't dead they are not usually willing to replace it unless the customer is willing to buy a new one.
Rocklobster, If the problem were a MBR virus, wouldn't I have gotten the redirect when I took the computer back to my shop (before spoofing the MAC) and connected it up?
Moved to my laptop and I'm not able to quote and reply to your individual posts. What's going on? And why am I not able to edit my first post to correct typos? No "edit" choice shows.
I don't see (unless in haste I missed it) that you have taken the computer to YOUR network, or another, and determined if the machine runs fine on another network. This simple test would completely eliminate the actual computer from the suspect pool. First thing I would do if I entered the "mix". Lots of small things to do beyond that. I wish it was here and I could run lots of "tools" over the drive as a hobby. Not asking you, just saying these are my specialty. Just love networking challenges. Sick I know!
Palancar, check #4 in the outline of my first post. There I explain that I took the computer in question from the client's house after a fresh install of Windows 10 and connected to my own network without issue. I assume that would also accomplish what you said about removing it from the suspect pool.
This is indeed an interesting case. - I suggest to check if there's any open ports in routers page (usually NAT), if any found, remove them. Also disable the automatic configuration server (ACS) or CWMP feature that some routers may have to give the manufacture the ability to remotely update routers' configuration. If there's a DDNS feature check if it has any servers too. - Have you tried changing IP and DNS manually? - What's exactly the error message that browsers give you? - Programs such as Wireshark or Fiddler2 can possibly reveal more useful information on this. - When you tested with your laptop on her network, did you check if you were using manual IP and DNS or the option was set to automatic? if you didn't check, maybe check again while making sure that you use router's default DHCP settings (IP and DNS), and another time check with manual settings? - Try to use her MAC address by copying it on your laptop, while hers is spoofed to another? - To give another theory, since you said by using it on your network, there's no issue, and spoofing MAC fixed it on her network, I can suggest the following at the moment, based on that info I understood from your posts: 1. Revert back to original MAC address (for the sake of this troubleshooting) 2. Test connection to make sure if the issue still there or no 3. Download AntiNetcut, or alternative XArp tool and see what each has to show. If it's an arp attack you should know by now. This is just a quick thought process, I put each idea in a line after having read your posts. Let us know of updates on this.
Had to look up what ARP is: "ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network." This sounds like the most likely scenario so far that has been offered. If that be the case then when I spoofed the MAC address of the customer's computer I would have broken that link and she should be okay now until and unless something undoes the spoof like another fresh install of Windows or possibly, the next Windows platform update. I need to let you all of you know that I may not get another opportunity to try some of your suggestions since the customer doesn't seem motivated to pursue the issue. But I really appreciate your input. I was just fishing for new ideas as to what caused this so that, if nothing else, I run into it again.
Many of us are hesitate to give you any advice on removing malware because it's against this forum's policy. This forum is mainly for recommending Security Products, recommending different methods of mitigation, and beta testing products. If the customer does decide to pursue the issue further then you should open a case at Malwarebytes, or Bleeping Computer. They have staff trained specifically for Malware removal. https://forums.malwarebytes.com/index.php https://www.bleepingcomputer.com/ I can say that if you have eliminated the drive, modem, and router as the source of the infection then you may consider the BIOS/UEFI could have been infected as rare as that may be. The behavior you are seeing is rare, and the person did give the attacker remote access to the computer. I would love to be able to make a house call to this person. I'm an Information Security student close to graduating, and from my experience this is pretty rare behavior.
Thanks, I understand you cannot promote various anti malware products. Actually, I have quite a bit of experience with removing malware per se. It just did not seem to be a malware related security issue to me since the customer's computer didn't misbehave when connected to my network. Nonetheless, I would certainly run a boot time scan if I had access to the machine again. I would also consider doing a UEFI update if one was available.
We can promote Anti-malware products as much as we want, we just can't give malware removal instructions. I'm sure you will figure it out like most problems using the process of elimination. If you have a modem, and router that will work with the client's ISP then you should be able to eliminate if their modem, and/or router is the problem. It sounds like you have been taking all the right steps in order to discover the problem. I'm sure dealing with the problem you have encountered would be a learning experience for many working in the computer field.
UEFI infections are implants used by nation-state agencies. Unless she is a political dissident, I suggest firstly thoroughly checking more probable hypothesizes. I would love, too! I think lofac and Stefan Froberg gave most useful suggestions.
@hstrent Did you check the MBR yet? I just now saw your follow up questions, yes Windows 8 does have a MBR. I have been reading the rest of the discussion which looks mainly towards an external attack, which it could be, but if as you originally suspected, it originated from a fake antimalware install, it will be persistant malware. Your follow up questions to me. 1. Yes Windows 8 has a master boot record that can execute malware persistantly after reformatting the drive. 2. You can use the dd command in linux to remove a windows MBR. 3. You can use Diskpart in windows with the Clean command to completely remove all partition info including the MBR. You may be able to run diskpart from a windows install CD im not sure though. Be aware if you remove/replace the mbr, the manafacturer's factory restore options (if there was any) wont work anymore.
