05-02-2012 02:46 PM
NIS 2012 ver. 19.7.09.....after getting a fresh IP address by switching routers....and after a few days, I notice that in NIS History, there is statement that I have a new gateway , Mac and all. Only problem, it is a spoofed Mac, not mine, not the router, not the modem, not the PC or NIC cards. The mac will always be close to the router, with just a couple of numbers changed, so it looks at first to be identical. When this happens I can not block this mac as it is active. I have to reboot the modem and use a different router, that gets a whole new IP address and every thing is fine for a few days. I have been blocking the spoofed mac after the change of IP. BTW. Finally I thought you caught them, it, whatever. With the summision of Cloud 7. L and WS Trojan H. but you said it was alright?
When my gateway gets spoofed, web pages slow way down on loading, and Iam not sure is my banking and other passwords can be read. Do you have a solution for this. BTW All scans in safe zone come up clean, both with NIS and Superantispyware. To my knowledge I am not using any Cloud based software.
05-02-2012 03:31 PM - edited 05-02-2012 03:36 PM
Some routers, such as the Linksys WRT54G for example, have separate MAC addresses for the WAN (what your ISP sees) the LAN (what your wired ethernet network sees) and the WLAN (what your wireless network sees). Each of these will be identical except for the last digit in the MAC address.
Moreover, spoofing a MAC address means that one is making a separate device appear to be the device that actually belongs to the legitimate MAC address in question. The MAC address would look the same, not different. What you describe is not MAC address spoofing, and would not permit an outside device to join your network by pretending to be an allowed device.
Further still, the Cloud 7. L and WS Trojan H submissions, unless they are being detected and removed by Norton during a virus scan, are simply files of interest that are submitted to Symantec for analysis. If you are finding them listed in Norton Community Watch, but not in Quarantine or Resolved Security Risks, then they are not malicious and would not be related to anything you are reporting as an issue.
Networking can be difficult to troubleshoot sometimes, so it is hard to know what might be causing web page loading to be slower with one network connection than another - expecially if you are alternating routers (although if you are using both routers at the same time you could be having a problem with double NATing). But from what you describe, it sounds like things are behaving normally (Norton firewall logs report new connections and closed connections all the time). I wouldn't be too concerned about anything malicious going on, and the best thing to do if connection speed seems to be an issue would be to try to review all of your Windows and router wireless settings to make sure everything is setup correctly.
05-03-2012 07:24 AM
Well of course my routers have two Macs. One for wired and a different one for wireless. These are Linksys routers with DD-DRT firmware. The Macs are configurable as well. But I just leave them the stock Mac of the router. By spoofing I mean that, the gateway listed in NIS is just two numbers off on two different column of the address. like changing a 55 to a 56 and a 61 to a 62. But technically this is a different mac. I don't use wireless anymore. I know the mac of all my hardware. And this appears to be a "semi-spoof" on the routers wired lan. At first glance, it looks the same, but not. When this event happens, web pages take longer to load, as if filtered. CISPA is not started yet, it it?
05-03-2012 07:28 AM - edited 05-03-2012 07:44 AM
The last time, I noticed it, the Mac was not even close to any hardware Mac that I have. And was listed by NIS in history as a new gateway. I don't get it. Unless 'it' has back door help.
Win7 64 bit. Always set to firewall to Public Place/ with no sharing in advanced sharing. I noticed file and printer sharing was ticked. I did not do that. To my horror. I rechecked all my sharing settings to NO Sharing. Some thing is going on, I can tell you that much. I don't even allow my machine name to be broadcast with DNS. TCP/IP helper is disabled. Even tho I have been using Norton products since 95, I don't come to the Forums much, because I usually can work things out myself. The technology is changing so fast on the internet end, Im playing catch up all the time. When I first heard 'Cloud', I didn't like it. It is insecure.
05-03-2012 10:12 AM
MAC addresses that are one digit off have been reported often (such as here) and I have seen it on my own system as well. It is a matter of your router having separate MAC addresses for different networks. I think if you dig around in the router settings you will find the unexplained MAC address listed somewhere.
Since you are using a wired connection, I am not sure what significance you are attaching to the MAC address. I don't know how or why the MAC address could or would be tampered with, if that is what you are suspecting.
What are the timestamps for the Norton History log events? Do they correspond to system startup times? Are there any entries associated with the new gateway entries, such as "network disappeared" entries?
05-04-2012 10:20 PM - edited 05-04-2012 10:21 PM
Thanks for your help SendOfJive. It seems that I had a bad Flash Plug-in for FireFox. It would try to update even tho I was using Chrome!? NIS said I allowed this update. I didn't even know about it. I removed all Flash Players and Plug-in's, then uninstalled FireFox. I found some strange folders in my pictures folder. It was called 'Operation Cannibus". It had some weird pics in it, like pics of charles Manson, sticking his tongue out. Weird stuff. I think it was a Govt. hack. Hope I got it all.
05-04-2012 11:41 PM - edited 05-04-2012 11:55 PM
The Flash Player update is not suspicious. The most recent versions of Flash Player have an automatic silent update capability enabled by default. There was a critical update released today for Flash Player, so it would not be at all mysterious as to why your Firefox Flash Player plug-in tried to update. In fact, Adobe confirms that this silent update mechanism was enabled for today's patch because the zero-day vulnerability it addresses is already being exploited. You can read about the Flash Player background updater here:
I just Googled Operation Cannabis and was pointed to a recent pro-Marijuana campaign by that name being launched by Anonymous (the infamous hacker group). When I clicked on a link to the Anonymous statement regarding Operation Cannabis, I got a Norton malicious full page block - so it is certainly possible to get into trouble if you stumble onto that particular site with your shields down.