• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos1 Stats

Norton blocked an attack by: System Infected: Bitcoinminer Activity 6

Since the automatic definition update this morning, we've had roughly 20 computers in 10 different homes or offices (we're an IT services provider for home and small businesses) all have a popup about Bitcoinminer Activity 6. All of the customers are running Norton from Xfinity.

The alert details are:

Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Destination Address,Source Address,Traffic Description
1/30/2018 11:01:13 AM,High,An intrusion attempt by primary.mypools.xyz was blocked.,Blocked,No Action Required,System Infected: Bitcoinminer Activity 6,No Action Required,No Action Required,"primary.mypools.xyz (104.223.89.251, 5555)","TERMINAL2 (192.168.1.112, 49889)",primary.mypools.xyz (104.223.89.251),"TCP, Port 5555"
Network traffic from <b>primary.mypools.xyz</b> matches the signature of a known attack.  The attack was resulted from \DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE.  To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>. 

When I run NortonPowerEraser, as suggested, it finds the following registry key:

____________________________
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\"ExecutionPolicy"
____________________________
 

After allowing NPE to fix that key and reboot, the same popup/alert continues.

It seems very suspect to have this many random customers call (including one with a fresh install of W10 for an 80-year old woman who isn't doing things that would get her infected) and it leads me to suspect that we're just dealing with some sort of false-positive from the definition update that happened this morning.

I've run a manual LiveUpdate, which downloaded new definitions, but no change in the alert.

Anyone else seeing this out there that can tell me we're not alone?

Replies

Kudos0

Re: Norton blocked an attack by: System Infected: Bitcoinminer Activity 6

I did reach out to Norton Chat, who jumped into 2 of the "infected" PCs - but their additional scans and cleanup attempts did not do anything. They said it would be passed to their manager who would follow up with a call within the next hour.

Accepted Solution
Kudos3 Stats

Re: Norton blocked an attack by: System Infected: Bitcoinminer Activity 6

The good news is that the threat from outside the individual users' networks were blocked, and as noted in the Norton History page you posted, No action is necessary. So the systems are not infected. It is just someone trying to attack the systems from outside their personal networks. As all users are on Xfinity, someone could be targeting Xfinity customers.

The local system reference notes where the outside attack is trying to insinuate itself. But as noted, Norton is blocking it. 

I found one other reference about this kind of attack here.   https://www.esentire.com/news-and-events/security-advisories/kaseya-virt...  It gives some good information on the attack.

Things happen. Export/Backup your Norton Password Manager data.
Kudos0

Re: Norton blocked an attack by: System Infected: Bitcoinminer Activity 6

Hi @Simon @MIS,

Thanks for reporting in Norton Community Forums.  Please let us know if you are still getting Norton "System Infected: Bitcoinminer Activity 6" alerts. I have sent you a private message requesting for more details. 

Please refer "System Infected: Bitcoinminer Activity 6" more details. 

Sunil_GA | Norton Forums Administrator | Symantec Corporation
Kudos1 Stats

Re: Norton blocked an attack by: System Infected: Bitcoinminer Activity 6

peterweb - That post was exactly it. We use Kaseya for our remote connectivity software and a handful of the systems were affected by the vulnerability that was outlined there. We're patched and are making our way through the affected machines. Thank you!

Kudos0

Re: Norton blocked an attack by: System Infected: Bitcoinminer Activity 6

Good news for you and a lucky search result for me.   

Thanks for letting us know.

Things happen. Export/Backup your Norton Password Manager data.

This thread is closed from further comment. Please visit the forum to start a new thread.