Botnet affecting all network connected devices

[NateGSR117]

Hello all, and let me say thanks for the help ahead of time.

 

I'm currently on my mobile device and been googling around but I figure I'll ask here while I'm researching solutions. 

 

Just as the title says, I have some sort of botnet affecting almost every device on my wifi network. I connected a new ps4 pro and my CUJO (hardware firewall) detected that my brand new ps4 pro attempted to reach an IP that's for a botnet. But it not just the ps4, my laptop (which I scan for an infection and found nothing), my brother laptop, other smartphones in the house, and so on. Surprisingly my phone doesn't get affected or my desktop but I did get rid of a malware like a week ago that did the same thing hidden in system folder.

 

I want to know if there a way to scan my entire network with AV or malwarebytes of some kind. I almost want to factory reset every device in my house. I currently have like 50 hits a week with devices trying to get to botnet IPs.  

[Ollie5]

How are you sure this IP address is a botnet? I've never heard of a PS4 getting infected.

[manikyath]

sounds like a false positive more than anything tbh...

[NateGSR117]

Well this was never an issue before. Also the firewall hardware I use, the CUJO with it accompanying app notifies me of any threat it encounters. It then tells me why it blocked , so In this case tells me these IPs are being block because they are on a global list of block IPs that belong to a botnet.

 

This is an example on what I see from the app

Edited February 4, 2018 by NateGSR117
Spelling errors

[unkn0wn1]

burn it all and start over...

[ElSeniorTaco]

got any IoT devices in the house?

smart devices basically?

does it give you a list of devices that are infected?

are they all trying to connect to that same IP?

Can you post a log from the IPS/IDS device? (cujo)

[NateGSR117]

1 hour ago, ElSeniorTaco said:

got any IoT devices in the house?

smart devices basically?

does it give you a list of devices that are infected?

are they all trying to connect to that same IP?

Can you post a log from the IPS/IDS device? (cujo)

IoT device we have is a Google home and that's it. But that hasn't been affected as far as I have seen. Smart devices are the only thing affected. 

Is this picture sufficient? 

[aezakmi]

Quote

Smart devices are the only thing affected. 

Heh, not so smart after all.

guess you already tried disconnecting one thing at a time for a while and check if the connection persists and the connected clients list, are you using a VPN? router firmware up to date?

[ElSeniorTaco]

hmm 

It could be false positives?

But I am not entirely sure about that,

Fqtag is known to be in advertisements and other things.

 

The 34.231.103.23 address is owned by amazon apparently

So is 13.33.74.93

So is 13.33.74.12

 Im betting that these address are safe unless its like one of those servers that you can rent from amazon that has been hijacked by a hacker.

 Maybe you just blocked a portion of amazon with the cujo device and its going nuts

I am wondering if you got a popup asking you if a certain IP was unsafe and you blocked it, and now cujo has gone rabid, blocking everything from amazon

If its only on smart devices, then its possible that, it somehow blocked the IP's that amazon uses to host content for mobile/smart devices.

Maybe this thing is detecting devices that connect to people known to advertise, sort of like an adblocker?

 

How high of a security settings do you have set, (assuming you can change the aggressiveness)?

I know if I set my IPS/IDS at work to full power, it will basically block the entire internet, basically telling me that going online is unsafe no matter where you go lol

 

 

 

If it is a legit malware issue then it could be a network worm/virus, (something that uses your network to replicate its self onto other computers and devices)

Do you have any special settings on your router?

Odd gateways, dns settings etc?

 

Over all though im gonna say, your cujo device is somehow scared of amazon and has blacklisted amazon for some reason.

Maybe its all the amazing deals and free shipping, its a threat to most smaller companies you know!

 

[NateGSR117]

11 minutes ago, aezakmi said:

Heh, not so smart after all.

guess you already tried disconnecting one thing at a time for a while and check if the connection persists and the connected clients list, are you using a VPN? router firmware up to date?

No vpn, which I want to make my own one day but that a conversation for another time. I just check and the firmware is up to date on the asus app I have to check on it remotely, but I question the accuracy of the app. But yes, many of these device are turn on and off through out the day and as soon as they reconnect to the internet I get a message from my CUJO.

[ElSeniorTaco]

Seriously, all these devices are connecting to amazon and its causing false positives I am like 99% sure on that lol

Do a Whois search on the IP's and see for your self who owns them

www.whois.sc

False positives are the natural order with Intursion prevention and detection devices, even big high powered ones like the one I have in this building now

We work with ISPs like charter and Level 3 etc, and it blocked their servers even, I had to go thru and tell it that its safe so our guys could keep working.

It blocked a "tor relay" once, that turned out to be not a "tor relay" but just a dns server that we needed.

It might say botnet or what ever but you need to look into what is going on

These labels it puts on things like botnet are not always correct, I can tell you that from experience

Take what you see with a grain of salt and investigate the actual IP's it provides on your own to see what is really going on.

Maybe this IP was listed as a botnet in 2006 and it got shutdown, then amazon bought the whole block of IP's and some companies never un-blacklisted it

[NateGSR117]

15 minutes ago, ElSeniorTaco said:

...

Over all though im gonna say, your cujo device is somehow scared of amazon and has blacklisted amazon for some reason.

Maybe its all the amazing deals and free shipping, its a threat to most smaller companies you know!

 

I haven't change anything on the cujo besides a few thing on the dhcp front. I just look on the cujo and I don't see a setting for changing the aggressiveness of the protection. There are filters for parental control but those don't show up or notify me unless I look. I can connect to amazon just fine and order stuff like normal on my desktop so maybe a different aspect of amazon? But yes, you're probably right, it's afraid of amazon's amazing deals.

[ElSeniorTaco]

16 minutes ago, NateGSR117 said:

I haven't change anything on the cujo besides a few thing on the dhcp front. I just look on the cujo and I don't see a setting for changing the aggressiveness of the protection. There are filters for parental control but those don't show up or notify me unless I look. I can connect to amazon just fine and order stuff like normal on my desktop so maybe a different aspect of amazon? But yes, you're probably right, it's afraid of amazon's amazing deals.

Just because you can connect to amazon doesnt mean its not blocking a portion of amazon

Amazon owns a retarded amount of computing power and IP addresses

You could have a few of thier addresses blocked and still browse the amazon site without ever knowing something was blocked

They got redundancies upon redundancies and the ip's you have blocked might not even be for their amazon.com website, but for some other service they provide.

 

The amazon website will probably use different IP's for website, different for payments being made, different for mobile devices, different from certain states and county's, and different ips for certain times of days or when they are shifting loads around or when they need to do maintenance.

There is no one IP address that resolves to all of amazon and its inter-workings

 

I bet if we both do a dns resolution to amazon.com on our separate computers, you and I will see two different IP's for the same website, and if we do it again in another 30 minutes, those IP's will be different from what we saw earlier.

There is all types of load balancing and shifting around going on in a huge company like this. 

Its how they can serve the entire world, they cant / wont do it from one place or IP, its just not how you handle large scale operations.

 

I mean we even have 5 IP's in this building, and we are a tiny operation.

You could block one and have our website still working great, but some smaller services might not be working or might of shifted over to a different IP, and you as a customer would have no idea.

[NateGSR117]

12 minutes ago, ElSeniorTaco said:

Seriously, all these devices are connecting to amazon and its causing false positives I am like 99% sure on that lol

Do a Whois search on the IP's and see for your self who owns them

www.whois.sc

So I looked and it looks like it is indeed amazon and godaddy and rocket fuel (AI advertising company)

[aezakmi]

whois says the 13.33.74.x is from Amazon, if your firewall is preventing the devices from connecting it should be ok, means it's working

[NateGSR117]

3 minutes ago, aezakmi said:

whois says the 13.33.74.x is from Amazon, if your firewall is preventing the devices from connecting it should be ok, means it's working

Yup, but my concern was if it was actually a malware/virus/worm if it is nothing serious and a false positive then I really don't need to take follow up action and let the system be then.

[ElSeniorTaco]

These big scale operations got some crazy stuff going on behind the scenes, its actually pritty nuts when you see what all goes on to make things like this tick, you would be amazed at how complicated it can get

Id hate to see a network flow diagram for amazon, It would probably look like a collage of Egyptian hieroglyphs when you zoom out lol  

[ElSeniorTaco]

1 minute ago, NateGSR117 said:

Yup, but my concern was if it was actually a malware/virus/worm if it is nothing serious and a false positive then I really don't need to take follow up action and let the system be then.

Ya if nothing has failed, its not a big deal for the most part.

What ever was blocked, If it was important, it would probably fail-over to another system/ip anyhow.

If you notice something not connecting in your network, or some app not working properly, then I would look into unblocking it for sure

[NateGSR117]

1 minute ago, ElSeniorTaco said:

These big scale operations got some crazy stuff going on behind the scenes, its actually pritty nuts when you see what all goes on to make things like this tick, you would be amazed at how complicated it can get

Id hate to see a network flow diagram for amazon, It would probably look like a collage of Egyptian hieroglyphs when you zoom out lol  

Well thanks for the insight and the knowledge. I tooken class in networks and network security and I'm been paranoid ever since (plus some scary personal experiences). Its just nice to know that I'm just over reacting, haha.

[ElSeniorTaco]

17 minutes ago, NateGSR117 said:

Well thanks for the insight and the knowledge. I tooken class in networks and network security and I'm been paranoid ever since (plus some scary personal experiences). Its just nice to know that I'm just over reacting, haha.

oh ya trust me, i get into some wild stuff on my end, And im still paranoid no matter what

I'll Lock everything down then investigate and then open it all back up after I find out it blocked like walmart or something stupid lol, most of the time its nothing.

Its not a bad thing to be paranoid, it keeps you secure

 

But I have had some crazy stuff go down, I've had to block alot of things, block entire countries worth of IP's because I got tired of investigating them (DAM YOU RUSSIA lol), take down some services and find less vulnerable replacements, contact ISP's to report people, etc..

I even setup a Sip phone system and the same day I set it up, It was already getting slammed by hackers, blew my mind how quick they started hitting it with brute force. 

I ended up just having someone else host the server because I just didn't want to deal with it and risk a future headache lol

Them hackers sure love their sipvicious 

 

Check out thehackernews.com website, its a good way to get even more paranoid, new and scary stuff comes out everyday, its not a bad source of info to get an idea of whats going on in the cyber security world

 

In the end though most of the time things aren't to big of a worry, at least not with us small fishes.

I'm sure a company like amazon has a terrifying amount of security related concerns go down everyday

Id probably die from a heart attack in no time from all the stress if I was on their SIRT team lol

Edited February 4, 2018 by ElSeniorTaco

[NateGSR117]

30 minutes ago, ElSeniorTaco said:

...

In the end though most of the time things aren't to big of a worry, at least not with us small fishes.

I'm sure a company like amazon has a terrifying amount of security related concerns go down everyday

Id probably die from a heart attack in no time from all the stress if I was on their SIRT team lol

I bet, all the stuff you deal with I would have a heart attack at my house network. Thanks again for the help.