Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Dirtjumper and suspicious network traffic
#1
Background.
Hi! I decided to ask for some help here if someone would know more and better about this security issue than i do. This issue has been a thing to this day, starting from January when our ISP started to inform us via text messages about this security issue called "Dirtjumper" related to some kind of suspicious activity coming out from our way to the internet. First i couldn't find anything from this PC by doing research and scans with avast and malwerebytes, and after they closed the connection we contacted their own technical support where they remotely checked this pc and did mostly all the same things as i did including couple more scans with different tools, they found nothing. Only once between these three months (i guess it was in the end of january or in february) avast found, blocked and quarantined a process called "wuauclt.exe" and a file called "inetcpl.cpl".
So this whole thing kind of started to loop over and over again after they've reopened our connection. They inform us about dirtjumper, i try to do everything i can, nothing will be found and our connection gets closed and then we contact them again asking for help. At some point i decided to install wireshark to see if there is actually something going on, and yes there was random connections to random ip addresses linking to different domains and countries e.g. Russia, China, Japan, Korea, Iran and probably more.
I have done a clean reinstall of windows at least three times but this issue still occurs. We even asked them to send someone to physically take a look of this PC and our router if there actually would be something. After i told him i haven't found anything else than those random connections he did couple scans on this pc and contacted the technical support right away. Only thing he did was he removed our router and told us it was the router sending out all the suspicious activity, because the MAC address of the router corresponded with the one inside the unwanted packets, which the technical support probably took a look on. 91€ Well spent.
So after this we of course received another message from our ISP telling us about dirtjumper, we didn't even bother to contact them anymore, just because it would be useless waste of time and money. I decided to stop using this pc for a week to get some extra time for us, reinstalled windows again and set up antivirus. I noticed Brian's video about his own security solutions and i decided to try out ZoneAlarm. Zonealarm started to block the random connections and we haven't received messages from our isp for about two weeks now. Not sure is it because of ZA fighting against them or is this again some kind of break of our isp not telling us about dirtjumper (Yes they had like 2 and a half week long break in february, when we heard nothing from them although the problem was still there). The problem now is, that it still most likely exists. ZoneAlarm blocks around 1 connection per minute and the total number of blocked connections from the day of 15.3 when i installed ZA to this day is 10,8k(While making this, the count increased with 200~ blocked attempts, it was originally 10,6k). Unfortunately ZA is somehow broken so it doesn't show the logs anymore, but they can still be viewed from the files itself.

What have i done so far.
Various scans with many tools including Avast, Mbam, Mbar, Adwcleaner, NPE, Roguekiller, HitmanPro. All these scans i've done in safe mode too, except for HitmanPro and NPE because they want an internet connection, which doesn't work in safe mode even if i have networking selected with safe mode. I also tried TDSSKiller but it simply didn't even run for some unknown reason.
I tried to reset BIOS CMOS settings with the jumpers on my motherboard if it would've had anything to do with it, or if there was something in the bios. Not 100% sure how those things works.
I also checked my hard drives partitions with gparted for hidden partitions, but i don't think there was anything either.
I've executed some commands related to fixing MBR with cmd inside the recovery environment. I tried second time to do something for the MBR but got stuck at /fixboot command which wasn't allowed to execute by the system.
I've tried to investigate what dirtjumper is, i know it is a botnet used in ddos attacks but there is almost nothing related to dirtjumper in internet, not much of information, no working removal guides, videos etc. just nothing, or then it's me and i don't know how to search. And because dirt jumping is an actual thing it makes things even more difficult.

I have no idea how or where this problem could've come, but after i built this PC in the end of september 2017 i used it without any 3rd party AV for couple months. Not sure what were i thinking back then, but that's probably relating to this issue. There's no any other devices connected to our network because i use it with an ethernet cable, we have one old laptop but that is barely being used.

We are losing our minds because of this continuing hell, so if there is anything to still do i more than gladly read your ideas and tips.

PC Specs if needed:
Cpu: Ryzen 5 1600
Gpu: Gtx 1060 6gb
RAM: Corsair vengeance LPX black 16GB running on 3000Mhz
Mboard: Asus Prime b350 plus Bios version 3803
Storage: Western Digital 1TB WD Blue 7200 rpm and Samsung 250Gb 850 EVO SSD as a system drive
PSU: Seasonic 520W M12II-520 Evolution

#2
Sounds like you may have the issue solved. No more calls form your ISP and Zone Alarm is handling any outgoing calls. A good log to post here from Zone Alarm would be nice to see. If ZA is corrupt then go ahead and reinstall ZA. Get us some logs to look at Smile
Tim's Computer Repair (TCR) 
1503 Kings Way, Savannah, GA 31406, US
912-220-0765
https://www.TimsComputerFix.net 


#3
(03-27-2018, 12:58 AM)Timster Wrote:  Sounds like you may have the issue solved. No more calls form your ISP and Zone Alarm is handling any outgoing calls. A good log to post here from Zone Alarm would be nice to see. If ZA is corrupt then go ahead and reinstall ZA. Get us some logs to look at Smile

Yeah it would be nice if ZA fights against them, and they aren't that big of a problem for my isp anymore. Im just wondering why and where all that stuff is coming from, or what it even is. Btw ZoneAlarm has created this "SandBlastBackup" Nonsense looking folder of random stuff in it on my system drive, like bunch of textfiles, pictures of games i dont play or even have and pictures of famous people, HTML documents like what the hell, what kind of backup folder is that? I also hate their browser addon which you cant normally delete or uninstall, any other ways to get rid of it? But sure, i will include a log from ZA's firewall and i took out my own ip hopefully that's ok.


Attached Files
.txt   Za Firewall log.txt (Size: 62.3 KB / Downloads: 10)

#4
Tough one to deal with as DirtJumper has evolved so much over the years,  AV programs can and do find them but only if the signature is in their database (and these botnet signatures change all the time).

Give a run with HerdProtect to see if their AV engines find anything then post back with results.

You said you've already done a fresh install of your OS but the bot could be lurking on an infected router, although most routers will have some kind of defense against this (as long as they're decent enough).

The biggest IPs I think you're dealing with from the list are:
Quote:107.170.198.26 = Digital Ocean


200.113.223.138 = WiMAX DCHP

191.101.167.235 = James Prado

212.92.127.26 = Tolder LLC (extremely bad rep)

61.153.56.30 = ChinaNet Zhejiang Province Network (extremely bad rep)

5.188.11.43 = Cable Com Data Cabling Services Ltd (ebr)

195.154.49.161 = Online S.A.S.

159.65.121.88 = Digital Ocean

186.248.89.26 = Cemig Telecomunicacoes SA (bad rep)

109.248. 9.245 = NetArt Group s.r.o

46.105.160.56 = OVH SAS

185.143.223.239 = Information Technologies LLC

Without getting a list of IPs from your ISP it would be difficult to compare.
You may find that Avast is causing some of the issues with its use of proxy services (not likely but may be worth thinking about). A lot of the other IP addresses are Scandinavia based, mainly Finland and Sweden (this could be the Avast proxy at work, not sure).

#5
Thanks for replying guys. And thanks for taking a deeper look on those ips, i dont know why ZA doesnt show any more logged ips in the log file but it would be much bigger list for sure if it did. I checked some settings from Avast, and there isn't proxy settings set to use proxies. The technician guy who we requested to come over and check some things, took off the router and told us it was the router sending out all the unwanted traffic, but that wasn't the case as we got informed about dirtjumper week after his visit. Unfortunately HerdProtect is not available at the moment, so i can't run a scan with it. Sad

#6
[Image: MiniToolbox.PNG]Scan with MiniToolBox


Please download MiniToolBox by Farbar and save it to your desktop.
  • Right-click on [Image: MiniToolbox.PNG] icon and select [Image: RunAsAdmin.jpg] Run as Administrator to start the tool.
  • In the main window please checkmark the following checkboxes:
    • Flush DNS;
    • Report IE Proxy Settings;
    • Reset IE Proxy Settings;
    • Report FF Proxy Settings;
    • Reset FF Proxy Settings;
    • List content of Hosts;
    • List IP configuration;
    • List Winsock Entries;
    • List last 10 Event Viewer log;
    • List Installed Programs;
    • List Devices (Only problems);
    • List Users, Partitions and Memory size;
    • List Minidump Files.
  • Click Go and wait paiently.
  • Upon completion (a reboot may be needed) a file called Result.txt will be saved on your desktop.
Please include the content of that file in your next reply.
<left><form action="https://www.paypal.com/cgi-bin/webscr" method="post">If you are satisfied with my help, consider a donation. Thank you so much for your continued support! 
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="Y4ZDLXGFS4F8Q">
<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal — The safer, easier way to pay online.">
<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="0" height="0">
</form>

   </div></left> 

#7
MiniToolBox run completed. Results in attachment.

#8
Sorry Deswe, didn't realise they had suspended it. You may be able to download it here: http://www.softpedia.com/get/Antivirus/herdProtect.shtml

Whether or not it actually works though, I can't say.

You should also give MRT / MSRT a try, if its not already on your system when you search for MRT in your desktop search function, then you can download it here: https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx

I don't see any issues in the minitool log but Brian may see something different so wait for him to reply.
In the meantime give the above a try.

If you get the chance run EEK: https://www.emsisoft.com/en/software/eek/

#9
Alright thank you, herdprotect seems to work and i will post the results of the scans at some point.

#10
All the scans are done and i guess nothing was found. Only herdprotect found something, it found 4 .js files which are related to ZoneAlarms chrome addon and i removed them all at first, but they came back. Only thing what happened with the removal of those .js files was that the addon disappeared and then appeared back after 5 seconds when i opened chrome again. Herdprotect also detected 2 other files and asked me to do new scan after some time to see are they malicious or not, but i never got to see what files were they and were they malicious or not. I only noticed onedrivesetup.exe and goolgeupdate.exe (or something like that) being brought on the screen while herd scanned.
MRT Fullscan and EEK couldn't find anything either.

I had to translate the EEK log because it was first in Finnish so don't worry if it looks unusual.


Attached Files
.txt   Herdscanlog.txt (Size: 293 bytes / Downloads: 3)
.png   herdscan1.PNG (Size: 86.57 KB / Downloads: 43)
.txt   EEKscan Log.txt (Size: 1,006 bytes / Downloads: 4)



Forum Jump:


Users browsing this thread:
1 Guest(s)

Powered By MyBB, © 2002-2024 Melroy van den Berg.