NAV2008 says I'm attacking a botnet?

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

Your 2nd guess sounds more likely. Be sure that your definitions are up-to-date, then boot the system into Safe Mode and perform a full system scan. Please let me know if this helps. Thanks!

g-man, tell your mom to stop attacking those botnet computers. :smileyhappy:

 

I, too, am interested in what you find out.

I received the same alert today on my computer, with me being listed as the attacking computer.

 

HTTP Malicious Toolkit Download Activity

Risk Level High

Attacking Computer: mine

Destination Address: www.logid83.com (XX.28.71.56.80)

Traffic Description TCP, 1671

 

Norton Antivirus version 15.0.0.58

 

All definitions are up to date. The last full scan was run two days ago. As you recommended, I ran another full scan today in safe mode and nothing was detected.

 

Any ideas?

 

 

 

[edit: broke IP.]

Message Edited by Allen_K on 07-08-2008 09:24 PM

If you are concerned that your system is infected, I would also recommend that you follow the steps listed in the How To Troubleshoot a Suspected Malware Infection announcement.

I received the same notification about the malicious toolkit download activity from my computer.  I tried to install the trial version of the Antibot program but received a message saying that my system does not support this platform.  Iā€™m running WIN2000 Pro.  I then checked for suspicious files/folders in the various startup menus and found nothing.  What next?

Please do as Tony suggested. send a sample to Symantec to test it

9 Likes

Is this what you're looking for?  And is this how I send the info to Symantec?  Forgive me...  I'm new at this. 

 

There were 5 entries on 7/11 in a 10 minute period, nothing before that or since.....

 

Intrusion: HTTP Malicious Toolkit Download Activity.
Intruder: (MY) COMPUTER(xxx.xxx.1.100)(1913).
Risk Level: High.
Protocol: TCP.
Attacked IP: xx.xx.193.9.
Attacked Port: http(80).


Intrusion: HTTP Malicious Toolkit Download Activity.
Intruder: (MY) COMPUTER(xxx.xxx.1.100)(1875).
Risk Level: High.
Protocol: TCP.
Attacked IP: xx.xx.193.9.
Attacked Port: http(80).


Intrusion: HTTP Malicious Toolkit Download Activity.
Intruder: (MY) COMPUTER(xxx.xxx.1.100)(1771).
Risk Level: High.
Protocol: TCP.
Attacked IP: xx.xx.193.9.
Attacked Port: http(80).


Intrusion: HTTP Malicious Toolkit Download Activity.
Intruder: (MY) COMPUTER(xxx.xxx.1.100)(1713).
Risk Level: High.
Protocol: TCP.
Attacked IP: xx.xx.193.9.
Attacked Port: http(80).


Intrusion: HTTP Malicious Toolkit Download Activity.

Intruder: (MY) COMPUTER(xxx.xxx.1.100)(1689).
Risk Level: High.
Protocol: TCP.
Attacked IP: xx.xx.193.9.
Attacked Port: http(80).

 

In the details for all of them it says...

 

Details: Attempted Intrusion "HTTP Malicious Toolkit Download Activity" from your machine against xx.xx.193.9 was detected and blocked.


 

Since I didn't know if it was safe to show the IP addresses I left them out but would be happy to provide them if necessary.

 

I Googled the IP address I'm attacking.  On the list that appears I only recognize my own internet provider, Road Runner.

 

Any help you can offer is greatly apppreciated.  Thanks,

 

Janis

Message Edited by janisko on 07-14-2008 05:00 PM
Message Edited by janisko on 07-14-2008 05:37 PM
3 Likes

I have something similar, but it is listed as a medium risk. This happened for me on Friday 7/11/08. that the same date for others? 

I will start a new post with all the details tomorrow. But here is what I can recall

 

I am using NAV2008 on a Vista Home Premium OS on a home PC

 

It shows that something(I forget the name of the item but I will send that tomorrow) from MY computer is attacking some site on the internet. But that it was blocked from attacking this other address. I think the other address that my computer is "attacking" is like

68.142.213.132 us.bc.yahoo.com Now from what I read, this addess has to do with tracking cookies and what not.

 

My defs are up todate and I scan full system nightly. My scans show nothing as far as infection, spyware, etc

 

So my concern is why would my AV see that I have a threat attacking another computer, yet not show up on my own system scan? Could this be some type of false positive? I have my computer on 24/7 via a dsl connection, yet only had this happen once on Friday 7/11/08 and nothing since

 

So here are my concerns, if I have a virus and my Norton is blocking it from accessing an outside computer whay would my Norton

2 Likes

Mine only listed one "intrusion" and the "Intrusion" program was a differnt type than what others are describing.

 

Could this be some type of false positive based on  new Norton defs?

some type of    HTTP IIS  something something BO. I will get more detailed on my next post

My log notes this as happening Friday 7/11/08 around 6:30pm dallas Texas time

sorry for the continuos short messages. just excited and posting as I think. 

 

Does it seem odd to anyone else taht this all happened on 7/11/08 and all had to do with our PCS "attempting" to intrude on what appear to be advertising type sites? 

 

While I sound a littel paranoid, I know, let me say that at the same time I feel very safe with my Norton Products and most of my friends do to. So even if there was something afoot from the outside world, I know Norton will handle it.

Hi janisko,

 

To be clear, you're running Norton AntiVirus 2008 on Windows 2000? This is NOT a supported platform for the product, and should be blocking the installation.  As for sending to Symantec, you should send the actual files that are detected to the following site:

https://submit.symantec.com/retail

 

Tony, could there be something to it that all this happened on the same day and with the same kind of issues? Mybe Norton was updating some new set up and it triggered some fasle positives?

I'm running Norton AntiVirus 2006 (always up to date) on Windows 2000 Professional (with all updates).

 

I have no idea what "actual files" may be suspect.  All I have is this log information showing IP addresses from AntiVirus 2006 that I put into my post.

 

I'm sorry I'm not all that informed on all of this.  Thanks!

Message Edited by janisko on 07-14-2008 08:03 PM

I mis represented some of my data on the same type of issue. It happened one time on Friday 7/11/08 at 4:55pm dallas texas time. Iā€™m going to post my issue as a seperate thread so as not to confuse anyone.

Just confirming that G-Man's  issue should be confirmed solved.  The alert and url that you posted is consistent with a drive-by download attack and NAV2008 has prevented the attack and protected you.  We have an issue that we are investigating where the direction of the attack was displayed backwards.  You prevented and attack from the computer - not the other way around in this case.

 

NY1986 has another thread open since this issue is different.  


If that is not correct, please let us know!

Thanks,

John "Dr. Drive-By"

Symantec Security Response

Would that be the same for my issue posted above?

Janisko,

 

You received the same HTTP Malicious Download that the original thread was opened on.  This is a absolute indicator that Norton prevented the drive-by download - care should always be taken to not visit the site until it has been cleaned up.  You can refer to this posting for additional information.  Yes, the direction was switched as well for this attack.

 

Additional information on drive-by download here


If that doesn't look like the case, please open a separate thread and we will look at it.

Thanks,

Doctor Drive-By

Symantec Security Response

 

1 Like