Topic: Anyone Getting Notices from Comcast due to Bitcoin Mining? (Read 3751 times)

@Kluge
I think I found another option for implementing port mirroring without a switch.

http://www.myopenrouter.com/article/10917/Port-Mirroring-Span-Port-Monitor-Port-with-iptables-on-NETGEAR-WGR614L/

http://blog.goddchen.de/2009/03/port-mirroring-span-port-monitor-port-with-iptables/

Note: I believe this is accomplished on modified routers running DD-WRT, Open-WRT or the like.

It would be sad to see "Trashing the Motherboard" as a viable option for malware remediation. 

The partition would be hidden. Not in the sense that it has the H attribute in the partition table, but that its not in the partition table and would appear to be unpartitioned space. But unless the virus has infected your bios or some other eeprom, having such unpartitioned space should be pretty harmless by itself. It still requires an infected bootloader to actually be able to read and execute whats on there. IOW, the crucial part is probably erasing the MBR and bootloader (and praying your bios, nic, and VT-d are clean). But why take chances, just zero fill the drive.

When I install (or reinstall) Windows, I usually wipe all partitions before installing. The partition manager shows all partitions on the disk, including system, mbr, and any strange ones. I assume any virus partitions  would still show up and get wiped on reinstall?

The malware partition is outside of the OS written directly to the drive. What value is there in deleting the partition table?
Wiping with a zero write solution is the only way to delete this type of malware. Reinstall from clean backups.

There is another type of malware that can be written to the network ROM, usually a card with boot from network ROM, with additional jump instruction in the BIOS to initiate the infector at boot.

DualComm has a cheap Port Mirroring solution USB Powered.
5 ports 1 hardwired for port mirroring:
DCSW-1005  $59.95
http://dual-comm.com/port-mirroring-LAN_switch.htm

It's possible that your computer is infected by malware that sends out spam. As mentioned in this thread, port 25 is used for sending e-mail. Even if you check with anti-virus programs, there's a small possibility that the malware in question goes under the radar. Also, you'd had to constantly monitor that port to ensure there's no activity on it. For all you know, the activity may happen when you're not acitvely using your computer. Another possibility is that Comcast somehow have target you in error, this may happen as well. Anyway, if you get port 25 blocked, unless you need it to send e-mail (perhaps you could use another port, or another service), you should be fine. Bitcoin doesn't use port 25.

Another possibility is that your miner is infected with malware, if you run binary version you downloaded from the web, you really don't know what's inside that binary, but if you download from a 'trusted' source, you should generally be fine.

In summary, there could be many reasons for this happening, and don't freak out in regards to the bitcoin mining, I don't think this is what they're targetting here.

If you wanted to monitor all network traffic, you must set up a program that can monitor all ports around the clock and which programs are causing the traffic.

Perhaps you could call their tech department, and tell them that you've received their notification, but you couldn't find any suspicious activity on your pc. Then they could (if they want) tell you what they're detecting on their side. No need to mention the bitcoin mining to them at all if calling in, I'm pretty sure that's not the culprint here.

Interesting, another MBR/BCD virus. So yes, a simple reinstall might not wipe it out, but deleting all partitions and then starting fresh ought to work, right? In any case, those articles indicate that there are ways to detect it, and Kaspersky already has a tool to remove it.

TDL4 will live through a simple format and reinstallation of the OS... I've done a lot of research on this and even wrote a kernal level boot loader for proof of concept in ASM and C....

Heres a good article on the bootloader if your interested:

http://www.securelist.com/en/analysis/204792157/TDSS_TDL_4#2

and another very detailed article on how everything works:

http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot



TDL4 is probably the most advanced trojan i've ever seen

Actually, if you follow his link, then it depends how you define wiping the drive (dd'ing will definitely do it, but a quickformat might not) and depending if windows upon reinstallation always rewrites the bootloader if there is already one. Im not 100% certain about that.

That said, there are possibilities to infect machines that resist any hdd wipe or even replacement. If you have an intel machine with "Vpro" / VT-d, then its theoretically possible to have a rootkit in the Vpro controller. Really scary stuff:

http://invisiblethingslab.com/press/itl-press-2009-03.pdf
http://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf

Gets even scarier if you consider the possibility intel just hands over the private keys to 3 letter agencies, which could thereby obtain full remote access to your machine with no way for you to detect it or prevent it. The VPro controller has access to your network, hdd, display buffer, ram, heck even webcam. Like I said, scary.

My bullshit-o-meter almost exploded when I read that.

I have suddenlink and their talking about putting a 80GB limit and charging extra if you use more

They said 80 GB is the average that is used in a month!?!? WTF

lol I use more like 800GB a month

anyway port 25 is a SMTP email port so you most likely have a virus sending shit tons of spam

Some nasty viruses hook into your kernal at boot and will feed you anti virus fake info so it doesn't get detected
heres one for example: http://resources.infosecinstitute.com/tdss4-part-1/

They call it the "Indestructible Botnet"

If you have something like that it will survive even after wiping your hard drive and reinstalling your OS

Only issues I got from them were "excessive data usage." 250gig a month limits suck.
If you're using Windows, Start > Applications > System Tools > Resource Monitor lets you track all network activity on your computer at process and individual connections level. Figured that out when trying to track down what was using up 10 gigs of data a day. (Turned out to be java.exe... for no reason... AVG and Mallwarebytes didn't find anything, so I just force close it with task manager on boot)

The primary wireless router's open!     

It'd be surprising if any of the neighbors were able to get a signal, though, they're a good distance away. WinMHR suggested all computers (including relative's) are clean. Repeater router (which is protected) still not reporting any traffic on :25. Putting curiosity to rest, for now... Won't have to deal with Comcast for more than a couple more months, anyway.

Another possibility is your wireless is compromised and someone is using their computer and your wireless to spam.

Port 25 block = spam and for you to get a block it is likely massive (as in tens of millions of emails).

Please tell me you aren't using WEP and if using WPA you changed the router SSID (rainbow tables with tens of millions of passwords exist for the 1000 or so most common/default SSIDs).

Kudos to this slick answer.

Easiest is probably to monitor upstream, like on the modem/router if you can't port mirror. In a more simple way you could turn all computers on, disable auto updates etc and reset the data send/receive counters on the modem. Then leave for a day and see what traffic is sent.

If you have a switch that has port mirroring you can monitor all the traffic with TCPDump, limit to port 25 since you've been alerted to that.
For Linux you can use Linux Malware Detect and for Windows WinMHR. They both use the Malware Hash Registry by Team Cymru which includes samples of almost all known infectors. LMD also looks for hex patterns in addition to hashes. Other options are firewall with IDS, Backtrack in a VM in bridge mode to scan your network.

P2P is a way that botmasters can communicate with their bots. But as everyone else said, port 25 is not usually a BTC port. And remember this, a new virus is created every 3 seconds. (from what I have seen, most of them are the same viruses, they have just been crypted differently with each new iteration). On a side note, what are the odds of a malicious attacker sending bot instruction messages embedded in the block chain?

Doubtful. You most likely have a virus on a system but aren't able to detect it.

Try getting a known-clean (new?) system and do a wire trace for 24-48 hours on the connection, see if anything comes up. And/or reformat/reinstall all your systems.

fwiw, Bitcoin doesn't use :25. Very easy to change port Bitcoin client uses, also easy to change with miners, though you're limited to whichever ports your pool op has open unless you're going solo (dunno about p2pool). I was just curious if Comcast was bumbling around with a paintbrush to say the large amount of small data exchanges between miners & pool was virus-like activity.

ETA @ Mike & AB -- I think y'all are right. Every computer I run has a relatively fresh install with only mining essentials installed. There are three exceptions. On PC acts as a TV and it's possible it's infected -- I haven't checked it well. This PC acts as my general use computer... pretty confident it isn't infected, and I checked traffic with Peerblock (nothing unexpected), checked to make sure no unknown services/programs were running... no CPU clocks going to anything unknown. Other is a retired laptop, which isn't doing it. Asked relative about he own laptop, she said she ran A/V software on it, and I didn't press to check it. Getting curious, but I have other stuff to do. Will update if I find anything.

Interesting.  I wonder if the internet service providers can somehow become overlords of the bitcoin system?

Is that a potential point of failure for the bitcoin system?

Are there ways to simply change the "port reference" to something else to keep the system going?

I'm clearly not a programmer, but I feel like this is a good discussion to vet just be sure of where the points of failure are for interested parties to attack the system.

The more we brainstorm, the better prepared we can be for any inevitable situations.