I think every one or at least every other one of my posts had questions that were unanswered.

And here are all the questions:

1. http://secunia.com/vulnerability_scanning/personal?cgc

Which version, the 1.5.0.2 or the 2.0 beta release?

---

Partial answerid you try installing Immunet?

- Yes, it found nothing with the full scan.

---

4. OK, so it looks like the PSI 2.0 beta did install, despite the dialog box to the contrary.  At least there was a process running on the icon tray.  Running that shows 7 programs that are not fully up to date or secure.  Not sure what to do about that, or if I need to do anything about that. 

Again, what am I supposed to look for with this tool to determine if something is in need of attention. 

7.One of my computers connected to the net is an old SGI Irix machine, wonder if I can get a Norton version for it?

 

And again, I ask if there is a way I can test to see that I have cleaned my machines of this purported bot.  If not, why?

Basically, the main question is:

HOW DO I TELL IF I HAVE REMOVED THE PURPORTED BOT THAT ONE OR MORE OF MY PCS MIGHT HAVE HAD?

So no answers to all these questions, even after taking the trouble to combine them all into one post.  Oh well...

I am sorta wondering the same thing... except I figure that if I don't see another email informing me that there may be a bot on my computer, then I am probably safe. It's been a week now, and I am pretty hopeful that all the trouble I have been going through was worth it.

I'll have someone look into the last time a bot was detected from your modem.  If it's nothing current, then it's likely it was found/removed.

---

Jordan_RO wrote:

I'll have someone look into the last time a bot was detected from your modem.  If it's nothing current, then it's likely it was found/removed.

---

So it sounds as if nobody has any clue what the name of this BOT is or how to detect it's presence and remove it from an infected system.

Is that basically correct? 

And as a side note, I did an on-line chat session with Norton this morning to fix some Norton A/V issues that popped up this morning and that tech assured me by system was 100% free of viruses/malware/bots, etc.

---

4CrawlR wrote:

So it sounds as if nobody has any clue what the name of this BOT is or how to detect it's presence and remove it from an infected system.

 

Is that basically correct? 

 

And as a side note, I did an on-line chat session with Norton this morning to fix some Norton A/V issues that popped up this morning and that tech assured me by system was 100% free of viruses/malware/bots, etc.

 

---

We did see evidence of bot activity and sent you a notice in response.  That is for certain.  This was not a guess or an error.

That being said, I'm glad to hear the Norton representative inspected your machine and informed you that it was clean.  

---

Jordan_RO wrote:

 

---

4CrawlR wrote:

So it sounds as if nobody has any clue what the name of this BOT is or how to detect it's presence and remove it from an infected system.

 

Is that basically correct? 

 

And as a side note, I did an on-line chat session with Norton this morning to fix some Norton A/V issues that popped up this morning and that tech assured me by system was 100% free of viruses/malware/bots, etc.

 

---

We did see evidence of bot activity and sent you a notice in response.  That is for certain.  This was not a guess or an error.

That being said, I'm glad to hear the Norton representative inspected your machine and informed you that it was clean.  

 

---

So I am 100% clean now? 

If you can't answer that, who can? 

I called 1-800 number at Comcast, they said I was clean,

I contacted Norton, they said I was clean.

Yet, I have never found anything in all the scans I have run so how do I really know my PC is clean?

And my question in the earlier post, that was cleverly sidestepped:

"So it sounds as if nobody has any clue what the name of this BOT is or how to detect it's presence and remove it from an infected system. Is that basically correct? "

You say you saw evidence of a bot and sent me an e-mail.

But DO YOU OR ANYONE HERE KNOW WHAT THE BOT WAS?  What is the name of it, how do I look for it in the future?

Or in other words, has this *new* "bot finding" system Comcast has ever been tested for ground truth as they say in the satellite photo business?  That is bot finder finds "evidence" of a bot on system X.  Then some real human goes to system X and finds evidence of same bot that matches what the "bot finder" found, and then documents how to find said bot and also how to remove same.  Or is this all top secret information and Comcast will not share with us loyal customers who are capable of doing this sort of system maintenance if only we knew what we were looking for and how to get rid of it?

A comment on the system implementation::

- http://blog.funnelfiasco.com/?p=820

So with the lack of response, I assume that nobody has any clue what this bot is, nor how to find it on a system nor how to remove it. 

It just seems that this "bot finding system" is only half-way implemented. it is all great that Comcast can find evidence of a bot infestation, but what about the rest of the story.  The customer gets this dumped on them, but then is given no way to tell when the bot is removed.  Is something being done to remedy this?  And I thought in the US that the accused was presented with the evidence against them and then given the opportunity to prove themselves innocent?  I just don't see how I can ever prove my system is clean of something I don't have any idea how to look for.

---

suelynn2z wrote:
I echo the same sentiments as 4crawlR. I don't know if I'm clean and have been shutting down computers and my modem when I'm not using it. Should I call comcast for them to check if I (still) have a bot? Who or what do I ask for to make sure I reach someone who knows about constant guard?

---

Yes, I am sure this is the sentiment of *everyone* affected. 

Why can't this fancy bot finding system keep a list of all "infected" systems and then after a pre-determined period of time (or some other metric), if it does not see contiued bot activity, send out an e-mail thanking the customer for addressing the problem fixing it.  Seems that would be in line with Comcast's big advertising focus on "customer service" these days. 

Okay. Has this been frustrating? Heck yes. Has it been scary? Yeah, that too. I agree it would be nice if there had been a little more information to go on in the email as to what, when, where, how, and why.I spent a good five days in a virtual panic, not knowing what was going on or why my scans mostly came up empty, not knowing if any of the financial websites that I had been working with had been intercepted before I got the notice, etc.

But look, this is a whole new program for Comcast. Maybe it has kinks and maybe it has a lot of room for improvement. I think that the lesson here for all of us is to pay attention to our security systems, be wary of unfamiliar and suspicious websites, and take all necessary steps to protect ourselves.

And always remember... it's a free country. If you are that unhappy with the customer service at any company, you can choose to take your business elsewhere.

Was someone going to check for me to see if there has been any more bot activity on my IP? Thx.

---

Nikki16 wrote:

Okay. Has this been frustrating? Heck yes. Has it been scary? Yeah, that too. I agree it would be nice if there had been a little more information to go on in the email as to what, when, where, how, and why.I spent a good five days in a virtual panic, not knowing what was going on or why my scans mostly came up empty, not knowing if any of the financial websites that I had been working with had been intercepted before I got the notice, etc.

 

But look, this is a whole new program for Comcast. Maybe it has kinks and maybe it has a lot of room for improvement. I think that the lesson here for all of us is to pay attention to our security systems, be wary of unfamiliar and suspicious websites, and take all necessary steps to protect ourselves.

 

And always remember... it's a free country. If you are that unhappy with the customer service at any company, you can choose to take your business elsewhere.

 

Was someone going to check for me to see if there has been any more bot activity on my IP? Thx.

---

Nikki16, I sent you a PM. If you have any other questions in the meantime, please let us know.

Thanks,

Adam

---

suelynn2z wrote:
I echo the same sentiments as 4crawlR. I don't know if I'm clean and have been shutting down computers and my modem when I'm not using it. Should I call comcast for them to check if I (still) have a bot? Who or what do I ask for to make sure I reach someone who knows about constant guard?

---

I sent you a PM

Comcast can't tell whether the bot is eradicated. They're not inside your computer, all they can see is what it's sending out to the Internet. If the bot is idle, Comcast can't tell it's there. The bot is like a "sleeper agent", waiting for a command telling it to wake up.

And Comcast doesn't even monitor your Internet activity in real time. Constant Guard relies on third party reporting services that monitor for bot activity and log the IPs of the machines involved. This is why there's usually a lag of a few days between the activity and receiving the email notification.

---

Barmar wrote:

Comcast can't tell whether the bot is eradicated. They're not inside your computer, all they can see is what it's sending out to the Internet. If the bot is idle, Comcast can't tell it's there. The bot is like a "sleeper agent", waiting for a command telling it to wake up.

 

And Comcast doesn't even monitor your Internet activity in real time. Constant Guard relies on third party reporting services that monitor for bot activity and log the IPs of the machines involved. This is why there's usually a lag of a few days between the activity and receiving the email notification.

---

But why can't they do the leg work to help us customers to identify the tools and procedures to use to locate and eradicate said bot.  As noted in the draft pager: https://datatracker.ietf.org/doc/draft-oreirdan-mody-bot-remediation/?include_text=1,

"3. Introduction and Problem Statement Hosts used by Internet users, which in this case are customers of an Internet Service Provider (ISP), can be infected with malware which may contain and/or install one or more bots on a host. They can present a major problem for an ISP for a number of reasons (not to mention of course the problems created for users). First, these bots can be used to send spam, in some cases very large volumes of spam [Spamalytics: An Empirical Analysis of Spam Marketing Conversion]. This spam can result in extra cost for the ISPs in terms of wasted network, server, and/or personnel resources, among many other potential costs and side effects. Such spam can also negatively affect the reputation of the ISP, their customers, and the email reputation of the IP address space used by the ISP (often referred to simply as 'IP reputation')."

So it seems that Comcast has the tools to help identify the presence of a bot, and the incentive to mitigate the damage said bots can cause on their system and "reputation".  So why not get a little ground truth by detecting some infected systems, then physically go there and figure out what local A/V type tools are needed to locate and eraditae the bot and then publish that information for all to use. That would be an excellent way to promote a good reputation and improve customer service, which seems to be a big focus for them these days.  This is direct opposite to the current system, where it is more of a "tag, you are it" approach, and they offer no assistance or information about the bot.  Afterall it is in Comcast's interest to get rid of the bots, not just find them.  Maybe this has been done already and the information is just not being shared with the customers.  And if it has not been done, wonder what sort of false positive rate this detection process has.

And why is it that Norton/Immunet are not picking up these bots and either preventing them from getting in ot stopping them once they are in a system?  And what is it that the $100 hired Norton gun can do that the average customer can't do?

---

4CrawlR wrote:

 

So why not get a little ground truth by detecting some infected systems, then physically go there and figure out what local A/V type tools are needed to locate and eraditae the bot and then publish that information for all to use. 

And why is it that Norton/Immunet are not picking up these bots and either preventing them from getting in ot stopping them once they are in a system? 

 

 

---

It sounds to me like you have just given a pretty accurate description of what the entire computer and Internet sercurity industry is on a mission to do. Here's the problem: the enemy is ahead. Apparently, the threats out there in cyberland have outpaced the industry's ability to detect and eradicate them.

All we can do is the best we can do. I installed all the OS updates, updated and scanned with Norton A/V, brought Secunia up to 100% (which has resulted in a marked improvement in the behavior of some of the websites I visit) updated and scanned with Adaware, Spybot Search and Destroy, and Malwarebytes, and instructed my son to stay away from the majority of Facebook apps.

If, after a period of time has passed, and I don't get and email from Comcast notifying me of activity on my IP, then I would think that all will be well.

---

4CrawlR wrote:

 

So it seems that Comcast has the tools to help identify the presence of a bot, and the incentive to mitigate the damage said bots can cause on their system and "reputation".  So why not get a little ground truth by detecting some infected systems, then physically go there and figure out what local A/V type tools are needed to locate and eraditae the bot and then publish that information for all to use. That would be an excellent way to promote a good reputation and improve customer service, which seems to be a big focus for them these days.  This is direct opposite to the current system, where it is more of a "tag, you are it" approach, and they offer no assistance or information about the bot.  Afterall it is in Comcast's interest to get rid of the bots, not just find them.

 

---

One of the services that Comcast offers is Xfinity Signature Support, a service to login to your computer and help you clean it up. I think the Constant Guard notice includes a referral to this.

But even they will only be as effective as the AV tools that are available.

---

Barmar wrote:

 

One of the services that Comcast offers is Xfinity Signature Support, a service to login to your computer and help you clean it up. I think the Constant Guard notice includes a referral to this.

 

But even they will only be as effective as the AV tools that are available.

---

Don't see any reference to the Xfinity Signature Support in either my notification e-mail or on the web page it directs me to.

I tried the link above and get:

Sorry, your request failed. A notification has been sent to the development team for investigation.

Exception ID: 5C67A5A7"

But in digging through the web page links on the main Constant Guard page, I found this one:

- http://security.comcast.net/get-help/contact-comcast-security.aspx

And the person at that number (888-565-4329) said they are the only folks that can handle questions about this and directly look up activity on your cable modem and they said I have been clean since the notice was sent out.  So give them a call (be prepared for a L O N G wait time though).

Not sure what happened when I was entering the link above. But the link is on the constantguard.comcast.net page.

Try this: https://constantguard.comcast.net/xss/signaturesupport.html

---

Barmar wrote:

Not sure what happened when I was entering the link above. But the link is on the constantguard.comcast.net page.

 

Try this: https://constantguard.comcast.net/xss/signaturesupport.html

---

OK, now I see that link.  So what exactly can this $129.95 hired gun can do that I can't do?  If they can only do the steps listed on the 4 pages of system fixes, then that should be mentioned on the sig.supp. page.  And if there is some magic tool or trick they have, why is this not documented or is the idea to generate revenue via this service?  I mean with my household cable wiring, I can pay for a service visit each time I have a problem or I can subscribe to the wing protection plan for a small monthly rate and have everything covered.

And yes, maybe these are all growing pains of a newly introduced service.  If this is indeed v0.1 of the Constant Guard system and it'll get better over time, then I guess the lack of information now can be tolerated.  But if this is the final version of said system, I give it a D- grade for customer service, or rather the lack thereof.

And why that grade?  Well, for one, getting any sort of consistent information to assist in understanding this issue is a total failure.  The regular 1-800 tech support folks had no clue about this bot-letter and after explaining it to them, they said it was no big deal.  Case in point, had 4 contacts say my system was clean and then had one that reported there may or may not still be evidence of a bot infestation.  So I can't find out 100% for sure either whay, what kind of system is that?  The provided links to anti-virus tools provide no information on what exactly to look for to determine presence of a bot, nor any specific steps on how to remove it if found.  Yes, the infomation presented is all good system maint. information and in and of itself, is useful in that regard.  But in this specific situation, what does one do when nothing is found?  And the time required to eek out even the most meager ansers from anywhere is not acceptable.  It has taken 12 days since getting the letter to find out that I might or might not have a bot infection, and I knew that from the letter, so in 12 days I have not gotten past the first step. It seems that Comcast's stance on this issue is to just pass the problem off to the customer with no further assistance.  And yet, it is Comcast that has the "tools" that can supposedly detect the presence of the bot.

And please pass this post on to Comcast mktg. folks and feel free to have them contact me.

Xfinity Signature Support has replaced the Norton Support and is now listed on the Constant Guard Center website.  It is a service that assists customers with a number of services.  They do not employ any "magic bullet" software that is not available through typical means.  Much in the way that some are comfortable upgrading the RAM in their computer and some are not, Signature Support is there for those that would prefer a professional assist them with computer problems.

OK, thanks for the straight forward answer to at least one of my my questions over the last 2 weeks..

4CrawlR,

Comments inline:

1. http://secunia.com/vulnerability_scanning/personal?cgc

Which version, the 1.5.0.2 or the 2.0 beta release?

 <Jordan_Ro> 1.5.0.2 is the recommended download.

---

 

2. Well, the v1.5.0.2 version fails to install on my Windows XP system.  Guess will try the 2.0 beta version.

 

Also, would be helpful if Comcast were to tell us what we are supposed to be looking for, like the name of the Bot) and how to tell when we have removed it successfully.  So far have had nothing frond with: Microsoft® Windows® Malicious Software Removal Tool (KB890830),, a few things found and removed with Windows Live safety scanner, nothing found with the Comcasr/Symantec anti-virus scanner, and this is going on 1 days of running full scans on my system.  When do I know when to stop?

 

<Jordan_Ro> That is up to you.  We are simply alerting you to a condition we've observed.  As of 2010-12-18 11:34:27 we have still seen activity indicative of a bot infection.

---

3. Well the PSI v2.0 beta also fails to install on my system.  Only a dialog box that says "Installation Failed" and no details as to why. 

 

So my next step is????

Partial answerid you try installing Immunet?

- Yes, it found nothing with the full scan.

 

 <Jordan_Ro> Looks like that resolved.

---

 

4. OK, so it looks like the PSI 2.0 beta did install, despite the dialog box to the contrary.  At least there was a process running on the icon tray.  Running that shows 7 programs that are not fully up to date or secure.  Not sure what to do about that, or if I need to do anything about that. 

 

Again, what am I supposed to look for with this tool to determine if something is in need of attention. 

 <Jordan_Ro> Secunia is a tool that shows you potentially unpatched and vulnerable software on your machine.  It does not discover malware.  Consider it the next logical step after ensuring your OS is up to date.

 

---

5.OK, so a few programs show update links, one is Adobe Acrobat (I have a paid for 6.x version that I use for making PDF files) and it takes me to the version 9 page which wants me to buy the new version for $199.99.  How can I tell if this old Acrobat version is the cause of this supposed BOT I may have.  It has probably been 2 weeks or so since I last used this program and only use it a few times a year, so forking out $200 for a new version makes little sense unless I know 100% for sure it is the problem.

 

Another update link is for Apple Quicktime and that one takes be to the Quicktime installer.  But I have the Itunes+Quicktime version installed and I know for sure that instailling the Quicktime-only version will "F" up the Itunes install.  So do I install the link that PSI points to or re-install the software I already have that was updated a few weeks ago as I recall?

 

And if I have been through all 4 pages of the Comcast "fix" script, am I done/clean/bot-free or did I just waste 2 days doing someone's guess as what might be a fix for a problem my PC might have?

 

 <Jordan_Ro>  These are recommendations on best steps to ensure a secure computer.  Based on our detection it does not appear that your network may still have an issue.  Securing your computer against threats on the internet is time-consuming, but rarely a waste.

 

---

6.So I manually installed the "latest" update from Apple and no go.  Turns out the QT-only is the version 7.6.9, which is what PSI wants to see, but the same page on apple.com lists 7.6.8 as the latest version of QT for Itunes, which is what I installed.

 

(note Apple did release an updated versions of QT for ITunes a few days ago)

 

Also, on the old Adobe applications I have installed, I only use those for converting locally created files to PDF format.  I have the most current version of the Acrobat Reader installed for viewing on-line and down-loaded PDF files. 

 

Aside from the above two instances (3 files in total), my PSI score went from 94% to 98% but I see no way to get to 100%.  So is this OK or is this the cause of my purported BOT infestation? 

 

How can I tell when things are cleaned up???

 <Jordan_Ro> See my comments above.  We are still seeing evidence.  We'll be happy to check again in a few days to see if there's any difference.

 

---

7.One of my computers connected to the net is an old SGI Irix machine, wonder if I can get a Norton version for it?

 

And again, I ask if there is a way I can test to see that I have cleaned my machines of this purported bot.  If not, why?

 

 <Jordan_Ro> See above

---

Basically, the main question is:

 

HOW DO I TELL IF I HAVE REMOVED THE PURPORTED BOT THAT ONE OR MORE OF MY PCS MIGHT HAVE HAD?

 

 <Jordan_Ro> See above.

 

Sorry for the delay in getting you all these answers. 

---

Jordan_RO wrote:

 

<Jordan_Ro> That is up to you.  We are simply alerting you to a condition we've observed.  As of 2010-12-18 11:34:27 we have still seen activity indicative of a bot infection.

 

Sorry for the delay in getting you all these answers. 

 

---

OK, now I am totally confused.  In talking to the "guy in the know" at 888-565-4329, this morning, he said there was no evidence of any unusual activity on my modem since 12/9/10.  So who do I belive?  The 888-565-4329 guy said that is who should be contacted about these issues.

---

Jordan_RO wrote:

How can I tell when things are cleaned up???

 <Jordan_Ro> See my comments above.  We are still seeing evidence.  We'll be happy to check again in a few days to see if there's any difference.

 

---

7.One of my computers connected to the net is an old SGI Irix machine, wonder if I can get a Norton version for it?

 

And again, I ask if there is a way I can test to see that I have cleaned my machines of this purported bot.  If not, why?

 

 <Jordan_Ro> See above

---

Basically, the main question is:

 

HOW DO I TELL IF I HAVE REMOVED THE PURPORTED BOT THAT ONE OR MORE OF MY PCS MIGHT HAVE HAD?

 

 <Jordan_Ro> See above.

 

Sorry for the delay in getting you all these answers. 

 

---

And I do not see that answer to:

"HOW DO I TELL IF I HAVE REMOVED THE PURPORTED BOT THAT ONE OR MORE OF MY PCS MIGHT HAVE HAD?". 

Apparently I have not, or at least you say so.  The 1-800-comcast folks said I was clean, the Norton remote connection guy said I was clean, I have received no followup bot-notice-email from Comcast for 11 days and nally the Comcast Customer Security Assurance Department guy said I was clean this morning when I called in. 

And not quite sure what you are exactly telling me, one time you wrote:

...

<Jordan_Ro>  These are recommendations on best steps to ensure a secure computer.  Based on our detection it does not appear that your network may still have an issue.  Securing your computer against threats on the internet is time-consuming, but rarely a waste.

So here you say "Based on our detection it does NOT appear that your network may still have an issue"

and later:

...

How can I tell when things are cleaned up???

 <Jordan_Ro> See my comments above.  We are still seeing evidence.  We'll be happy to check again in a few days to see if there's any difference.

Then you say "We are still seeing evidence".

So which is it???

- "Based on our detection it does NOT appear that your network may still have an issue"

or

- "We are still seeing evidence".

Sounds like a bit like Schrödinger's cat paradox:

- http://en.wikipedia.org/wiki/Schr%C3%B6dinger%27s_cat

My PC may have a bot or it may not.

If you feel you have taken all steps that you can take, and you don't see any evidence of unusual slowdown or activity on your computer, then short of completely nuking your computer the best advice for knowing if you are truly rid of a bot would be to monitor your traffic, either yourself using your firewall logs or a third party program designed for such things. 

While I can not vouch for (or endorse) all of the software this article suggests, and the article itself is a bit older, many of the principles remain largely intact and straight forward - http://www.malwarehelp.org/is-your-pc-part-of-a-zombie-botnet-check-now-2009.html

---

B-Mor wrote:

If you feel you have taken all steps that you can take, and you don't see any evidence of unusual slowdown or activity on your computer, then short of completely nuking your computer the best advice for knowing if you are truly rid of a bot would be to monitor your traffic, either yourself using your firewall logs or a third party program designed for such things. 

 

While I can not vouch for (or endorse) all of the software this article suggests, and the article itself is a bit older, many of the principles remain largely intact and straight forward - http://www.malwarehelp.org/is-your-pc-part-of-a-zombie-botnet-check-now-2009.html

---

OK, so running BOT Hunter on my system and it is finding some "bot" profiles.  However, it is interesting to note that the IP address of the DECLARE BOT is:

Pop3.emeryville.ca.mail.comcast.net point to 76.96.26.11.

Which is my e-mail POP server.  So is this the sort of BOT activity that is showing up for my IP address?

DECLARE BOT
    76.96.26.11 (16:11:47.747 PST)
     event=777:7777008 {udp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/61/14/0): 137u:61, [] MAC_Src: 92:166:87:7C:E3
      0->0 (16:11:47.747 PST)

I assume that this is "normal" POP3 activity, unless perhaps the Comcast POP mail server is part of the botnet?

Also seeing a similar profile for the NTP (time) server I use to set my system time  (65.49.92.27) at least it is one that shows up in the ntp server pool: http://www.pool.ntp.org/en/use.html

And also BOT Hunter also reports it's own access to it's reporting/database server as "malware" activity, so it seem to be quite trigger-happy, so to speak. 

So while running BOT Hunter, I decide to download and install the RUBotted tool from Trend Micro.  Dutifully, BOT Hunter reports that as a "serious" malware attack along with "egg" server access (i.e. downloading an exe file from the T/M servier - Norton of course flags the downloaded file as safe).  So after struggling with the install and eventually having to remove the "SpyBot" due to an incompatible WinPcap version (4.0.2. vs. 4.1.1).  So RUBotted was run overnight with nothing reported.

But in playing with BOT Hunter and seeing how sensitive it is to normal programs, flagging them as potential "malware", including itself, I decided to do some testing.  I found that both Firefox and IE trigger reports in BOT Hunter with access to what appears to be a youtube server at Google periodically.  I also found that a multi-threaded news reader I use on a regular basis also triggers BOT Hunter with a "high threat level".  That program has been scanned by Norton and also Secunia PSI as being up-to-date and safe.  I can exactly correlate BOT Hunter reports with activity in that program. And this news reader is the recommded reader for the usenet server I use.  And also that server is the one that Comcast transitioned to when they stopped offering usenet support a few years back. 

So I suspect this may also be the case with Constant Gaurd.  Is there any way I can be provided information in the exact timing of my purported "bot activity" on a timely basis?  That is, if I can not start the suspect program(s) for a period of time, then start and run them for a period of time, then shut them down.  Then we can see if the "bot activity" correlates in time with the running of the program(s). 

I would imagine whoever developed this technology tested it with a selection of "normal" programs.  Perhaps that testing was not wide enough to encompass the full range of non-malware applications and it is reporting too many false positives.  And if this is indeed the case, what are the possibilities of getting the filters modified to accomodate such applications?

In looking at this thread, one thing really sticks out and that is the question of how do I know if my computer really has been cleaned up and I am free of bots, viruses and other malware. This is a phenomenally hard question to answer. Malware is written to be hard to remove and the constant arms race between the malware writers and the A/V tools companies is never ending. Comcast offers some of the top-rated and most innovative tools on the market to customers to assist them in cleaning up their machines. However nothing is going to substitute for some ordinary common sense, because the best course of action here is not to get infected in the first place. Paying attention to what is displayed on your computer screen is a good idea. Windows 7 and Vista have controls which give you a warning when you are going to install software, and if you are not sure what the software is, do not install it. If you are offered something which is too good to be true, don't download it, don't reply to the email, be very suspicious !

The tools offered are excellent and amongst the best on the market, but sometimes they are not going to detect a piece of malware and that is a fact of life. You need to back up your data, make sure those precious pictures are stored somewhere else as well as on your PC and in the final analysis, you may have to reformat your PC in order to be sure. This is definitely not the first option and you need to follow the remediation processes laid down at the Constant Guard Center. It is essential that your machine is patched up to date and your AV installed and operational.

Well, there are a few reasons to want to know what it triggering the constant guard service. 

One is that if there really is malware/bot/virus/etc. then we all benefit by knowing what it is, how to find it and how to remove it (and reformatting/re-installing the o/s might be the only way to do that.  And like the Bot Hunter s/w does, it correlates malware activity patterns to specific bots.  Maybe this could be applied to enhance the value of the c/g notice.  So instead of you "may have some sort of bot", it could say you may have bot XYZ" and this is how to find/remove it.

Second is that blowing away a system disk and reformatting and re-installing the o/s is expensive in terms of time and effort required.  I run a one person business and if I am tied up for several days reinstalling o/s, applications/ re-installing keys, passwords, etc. that is time I am not devoting to work.  And for some reason things are very busy this time of year, something about some sort of holiday or something.

And thirdly, if, as I suspect per the above analysis w/ BotHunter, my suspected "infection" may be due to one or more of my regular applications that I use as part of my daily work, and if I do go to the effort of blowing away and restoring the system, only to find no change in this activity, then Comcast is likely to lose a loyal "business class" customer.

So I ask again, has anyone actually used the C/G system to identify infected machines, then physically gone to those machines and identifed the source of the detected activity patterns.  Then either removed that source (if it was a bot or other malware) or updated the C/G filters if they were to tight and caused a false positve report?  If not, why not?  And if you need a test case, PM me.

I don't think it's possible for Comcast to provide real-time notification of bot activity. If I understand what they're doing, they're making use of third party services that monitor for bot activity, not looking at your traffic directly (the FAQ specifically says that Comcast does NOT do "deep packet inspection", to avoid privacy concerns).

The way these services typically work is that they operate "honeypots". These are systems that just sit there, connected to the Internet, waiting for other machines to try to connect to them. Since they're not advertised as servers, any incoming connections must be from hackers and bots doing network scans.

The source of these connections are then published, and Comcast periodically checks these lists for their customer IPs.

---

4CrawlR wrote:

 

OK, so running BOT Hunter on my system and it is finding some "bot" profiles.  However, it is interesting to note that the IP address of the DECLARE BOT is:

 

Pop3.emeryville.ca.mail.comcast.net point to 76.96.26.11.

 

Which is my e-mail POP server.  So is this the sort of BOT activity that is showing up for my IP address?

 

DECLARE BOT
    76.96.26.11 (16:11:47.747 PST)
     event=777:7777008 {udp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/61/14/0): 137u:61, [] MAC_Src: 92:166:87:7C:E3
      0->0 (16:11:47.747 PST)

 

I assume that this is "normal" POP3 activity, unless perhaps the Comcast POP mail server is part of the botnet?

 

---

Something strange is going on there. Normal communication with a POP3 server uses TCP, not UDP.

---

Barmar wrote:

I don't think it's possible for Comcast to provide real-time notification of bot activity. If I understand what they're doing, they're making use of third party services that monitor for bot activity, not looking at your traffic directly (the FAQ specifically says that Comcast does NOT do "deep packet inspection", to avoid privacy concerns).

 

The way these services typically work is that they operate "honeypots". These are systems that just sit there, connected to the Internet, waiting for other machines to try to connect to them. Since they're not advertised as servers, any incoming connections must be from hackers and bots doing network scans.

 

The source of these connections are then published, and Comcast periodically checks these lists for their customer IPs.

---

Perhaps I attributed too much sophistication to this great system that Comcast developed.  I sure hope this is not the final version as it just seems so vague (you *may* have one or more infected PCs) and imprecise that it makes finding out what is going on basically impossible. Might as well just make the e-mail read, "please reformat all the disks on your PCs and reload the O/S", as that is what you seem to be implying.  And on the "may have an infection", is that "may" like 51% for sure / 49% not or is it 99% for sure / 1% not? 

It just seems there needs to be some "next level" in finding out what is going on.  Perhaps offering some optional local monitoring that the customer can install to augment that coarse data and help point out the cause.  Otherwise, it is hard to figure out what the goal of this C/G program is.  If it is just to warn folks to keep systems updated and scanned for malware, that is one thing.  But if it is to either force folks to reformat systems or cancel their Comcast service, that seems a bit harsh. 

---

Barmar wrote:

 

---

4CrawlR wrote:

 

OK, so running BOT Hunter on my system and it is finding some "bot" profiles.  However, it is interesting to note that the IP address of the DECLARE BOT is:

 

Pop3.emeryville.ca.mail.comcast.net point to 76.96.26.11.

 

Which is my e-mail POP server.  So is this the sort of BOT activity that is showing up for my IP address?

 

DECLARE BOT
    76.96.26.11 (16:11:47.747 PST)
     event=777:7777008 {udp} E8[bh] Detected intense malware port scanning of 21 IPs (15 /24s) (# pkts S/M/O/I=0/61/14/0): 137u:61, [] MAC_Src: 92:166:87:7C:E3
      0->0 (16:11:47.747 PST)

 

I assume that this is "normal" POP3 activity, unless perhaps the Comcast POP mail server is part of the botnet?

 

---

Something strange is going on there. Normal communication with a POP3 server uses TCP, not UDP.

 

---

I'll try re-running BotHunter, I guess it does not save that log data.  There were a dozen or so entires like that but I don't recall if they were all udp or some tcp as well.  And they did seem to stop after BotHunter finally onnected with it's data repository (apparently it does not always connect), so not sure what was going on there.  First time BotHunter user.

OK, found the old B/H log file and indeed the UDP entry is followed by a similar TCP entry:

DECLARE BOT
    76.96.26.11 (16:16:39.214 PST)
    
   event=777:7777008 {tcp} E8[bh] Detected intense malware port scanning of 22 IPs (16 /24s) (# pkts S/M/O/I=0/63/17/0): 137u:63, [] MAC_Src: 92:166:87:7C:E3
          0->0 (16:16:39.214 PST)
       
tcpslice 1292890599.214 1292890599.215 inputFile.tcpd | tcpdump -r - -w outputFile.tcpd 'host 192.168.1.101'

---

Barmar wrote:

 

I don't think it's possible for Comcast to provide real-time notification of bot activity. If I understand what they're doing, they're making use of third party services that monitor for bot activity, not looking at your traffic directly (the FAQ specifically says that Comcast does NOT do "deep packet inspection", to avoid privacy concerns).

 

---

Imagine the calamity were they ever to implement DPI !!!!

4CrawlR, there's a forum at bothunter.net that might be a better place to get help interpreting its output.

You send me an email that says I have a bot. I use the Norton security package you give, my Win7 was updated last night, and I regulary use Malwarebytes anti-malware. The link in the email you sent me to your site where I'm told that I need to update Windows (I don't), need to see if my anti-virus is up to date (it is), and I need to download Windows malicious software removal tool. I downloaded it, and it told me it would not work with my version of Windows. I have the most current, updated version. I figured that I downloaded the wrong version. I went back, and there is no other version. Step four of your "solution" is to download your software that, one, updates my installed programs, and two, offers another layer of protection.

What bugs me so much about this absurd runaround, that you send me a message that I may have a bot, send me to your website "for instructions to help you remove the Bot from your computer(s)," don't tell me what the bot is (the Microsoft tool, I assume requires that), and doesn't provide any evidence that I even have a bot.

Just what was the point of that email, other than try to promote your new service?

By the way ... the links in the original post are dead.

The technology used to provide you with this warning cannot tell you what the malware on your computer actually is since Comcast does not inspect any files on your computer. We don't think people would like the idea of us checking files on your computer and this is the only way to check as to the type of malware.  We can tell that you have visited a site on the Internet which is known to be associated with a botnet and as such we have sent you a warning that you may be infected with a bot.

The point of the email is to warn you that you may be infected and to make sure that you are using all the tools that can be used. It looks from your response as if you are taking a proactive approach to security, which is not always the case. You will also likely know that bots are difficult to detect and that not all bots can be removed by any tool on the market. The page to which you were sent contains generic advice as to how to maintain a reasonable security posture. We send people this advice since experience shows that many people do not perform the security basics such as running Windows update, installing A/V and making sure their machine is as secure as possible.

The paid for support service is intended as an option for those people who are not happy doing these sort of procedures on their own machines.

So would it be correct to say:  Comcast is doing the best it can to detect bots and warn us.  The instructions in the warnings are more advice on dealing with bots rather than actual instructions per-se.  Comcast asks that we do our best to deal with checking for bots if we get a warning.  And that's the best we can do for now, because neither the detection by Comcast nor the tools available to us are perfect.

Is that a fair characterization?

Although I might change the term "actual instructions" to "specific instructions", Yes, I would call that a fair characterization. 

Quoting stephen123: (edited)

Comcast is doing the best it can to detect bots and warn us.  The instructions in the warnings are more advice on dealing with bots rather than specific instructions per-se.  Comcast asks that we do our best to deal with checking for bots if we get a warning.  And that's the best we can do for now, because neither the detection by Comcast nor the tools available to us are perfect.

 

Thanks for your response, a great summary.

UPDATED: It seems the e-mail issues are unrelated.  So only question is below.

------------------------------------------------------

I'm wondering if one of the mods here can help me.  I received one of these warning e-mails on 01/18, which was the day I started having problems with some e-mails I receive.  I use a service that sends me e-mail alerts regularly (sometimes 10 or 20 within a few minutes, although I'm working to reduce that to something reasonable).  On the 18th was the first day I had problems with the service where they would send me duplicates at the exact same time (appearing as spam to some e-mail filter tools).  I've been working with them to get that fixed and as of the 20th, I haven't been receiving anymore duplicate e-mails.  And the quantity has also reduced to something more manageable.

But starting today the e-mails stopped completely (several from 11:50 and later didn't arrive).  So I'm wondering if this Comcast warning is related.  Do you stop e-mails from arriving that may appear to be spam (or bot-generated or something like that)?  Or are the e-mail issues completely unrelated (a possiblilty since I was just having problems with duplicates).

------------------------------------------------------

UPDATED: It seems the e-mail issues are unrelated.  A second e-mail I use also stopped receiving these e-mails at the same time so it seems above is not Comcast specific.    So only question is below.

Can you give me any more info on the malware I'm supposed to have.  I did have another visitor over Christmas time (Dec 21 thru 28 I think).  And if it fell during that time frame, then I'm sure it was their computer, which I've had to clean for them in the past and I wouldn't doubt is infected again.

I can find nothing active on my machine - although a complete scan did find something in a zip I had downloaded, but never extracted.

I saw that we are routed through a proxy if we are marked as infected.  I didn't read the whole thread yet, but it didn't seem that there was a way to get "un-blacklisted".  Just wondering how that affects me?  Will everything be slightly delayed since going through a proxy now?

Thanks for any help,

Tadd

We did see evidence of bot activity and sent you a notice in response.  That is for certain.  This was not a guess or an error.

Ok, I'll admit I didn't go through all of these posts. I did go through enough to understand that other folks got this "warning" who's systems appear to be clean.  So that brings me to the quote.

"Did see evidence"? What evidence?? That is what I need to know to determine if I have an infected system. Telling me that I might have spurious traffic that tripped a sensor isn't telling me a derned useful thing.

"This was not a guess or an error"? What was not a guess or an error? Again, tell me what traffic is problematic and I can properly determine if what your systems saw was legitimately problematic.

If I have a system that is hitting known bad IPs, as your contant guard page suggests, tell me what IPs so that I can monitor my own traffic. If there is a specific pattern of html or encrypted traffic, give me a hint so I know what to look for. If you're seeing odd smtp traffic, let me know.

If this is as useful as this service gets, scaring folks into wasting money to support personnel to find a "bot" that doesn't exist, then please tell me how to disable the service.

Don't get me wrong, I would very much like for my systems to be thoroughly secure. However, I found the email I was sent from constant guard to be thoroughly useless.

Just so we're clear:
Yes my Norton Security Suite is up to date and enabled.

Yes I have layers of firewalls in my environment.

Yes I have checked load points and file system.

Yes I have checked network traffic.

No, I'm not anywhere closer to determining why you sent me an email, please be more clear.

Thanks.

---

suibom wrote:

 

---

We did see evidence of bot activity and sent you a notice in response.  That is for certain.  This was not a guess or an error.

 

 

---

 

 

Ok, I'll admit I didn't go through all of these posts. I did go through enough to understand that other folks got this "warning" who's systems appear to be clean.  So that brings me to the quote.

 

"Did see evidence"? What evidence?? That is what I need to know to determine if I have an infected system. Telling me that I might have spurious traffic that tripped a sensor isn't telling me a derned useful thing.

 

"This was not a guess or an error"? What was not a guess or an error? Again, tell me what traffic is problematic and I can properly determine if what your systems saw was legitimately problematic.

 

If I have a system that is hitting known bad IPs, as your contant guard page suggests, tell me what IPs so that I can monitor my own traffic. If there is a specific pattern of html or encrypted traffic, give me a hint so I know what to look for. If you're seeing odd smtp traffic, let me know.

 

If this is as useful as this service gets, scaring folks into wasting money to support personnel to find a "bot" that doesn't exist, then please tell me how to disable the service.

 

Don't get me wrong, I would very much like for my systems to be thoroughly secure. However, I found the email I was sent from constant guard to be thoroughly useless.

 

Just so we're clear:
Yes my Norton Security Suite is up to date and enabled.

Yes I have layers of firewalls in my environment.

Yes I have checked load points and file system.

Yes I have checked network traffic.

No, I'm not anywhere closer to determining why you sent me an email, please be more clear.

 

Thanks.

---

I can echo that 100% and more..  we run a small network from our home and we maintain all of our PCs using current security best practices.. current and updated AV, firewall, UAC, daily AV and malware scans, and so on.

I also would like to know how this is triggered.. locally we run a few IRC clients connecting to 6 or so networks, a streaming media app (inet radio), and various work-related apps.. ssh, ftp, etc.. In the course of a day, I may browse to a known phish or malware site due to troubleshooting a client's website or system, but we NEVER allow the site to actively do anything (thank you Firefox and NoScript!).

So if its just hitting a specific IP, we need to know this.  If its specific type of traffic or level of traffic, we also need to know so as to rule out any chance of a FP.

I spoke with a phone rep, who tended to agree with my IRC usage and/or hitting an  occasional bad website in the course of daily business. However there was no true confirmation nor details (date, time, protocol used, etc.) given. That NEEDS to be addressed by the security assurance team and provided to the customers.. us.

We'll see what happens over the next week and call them back to see if they see any further FP or "hits" on their systems.

Hi PPNSteve,

If the folks you talked to are the Customer Security Assurance team @ 1 - 888-565-4329, then you are talking to the correct people.  They are the only ones who would have access to the info you are requesting. 

---

USAF_E-8_RET wrote:

Hi PPNSteve,

 

If the folks you talked to are the Customer Security Assurance team @ 1 - 888-565-4329, then you are talking to the correct people.  They are the only ones who would have access to the info you are requesting. 

 

 

---

They are indeed the people I spoke with..

I still find it curious that they flagged us.. we're quite clean as far as our PCs are concerned.

I hope that various activity / browsing I mentioned above, and was seemed to be conformed by the tech, is indeed all it is. Me just doing my job.. lol

I guess time will tell.

The primary annoyance with this is that, while it is nice of them to try and warn us, it's a HUGE time waster trying to hunt down such an ambiguous event. And, when I say huge I mean potentially from several hours to several days depending on the environment. And when I say time, I mean *money*; which I'm sure PPNSteve can attest to.

It really needs to be made more clear what options we have to deal with this, not the random crud that we get sent to as is. The options I would like made right up front is either the option to opt out of these alerts or, better, the option to opt in to more detailed information: port, protocol, timeframe, IP. It should be made clear in the pages we are directed to who we can contact about these events and what we can expect from that communication.

In my case, my systems are clean and I believe the alert likely originated from some SMTP troubleshooting I was doing. I was trying to get a baseline of a working TLS transaction to help troubleshoot a broken one a while before the alert was sent. I figure that attempts were probably tagged as a spam bot or something.

If that's the case, then I can understand why the alert was generated. But I am not at all happy about the runaround that resulted from the alert and lack of usable data.

Please find a way to make these events easier to navigate for customers.

I recommend folks open new threads for any issues / questions they have about their connection. 

---

suibom wrote:

The primary annoyance with this is that, while it is nice of them to try and warn us, it's a HUGE time waster trying to hunt down such an ambiguous event. And, when I say huge I mean potentially from several hours to several days depending on the environment. And when I say time, I mean *money*; which I'm sure PPNSteve can attest to.

 

Your account history has bot activity as recently as a few weeks ago. There are 3 different malware families observed, a total of 30 times since the holidays in December. You do not have activity in the past couple of weeks, so perhaps you found whatever the issue was (or the bot is not currently active).