RT2600ac A Network Trojan was Detected

Currently reading
RT2600ac A Network Trojan was Detected

20
5
NAS
DS218+ DS212J
Operating system
  1. Linux
  2. Windows
  3. other
Mobile operating system
  1. Android
I wonder if anybody has some advice, my RT2600 Threat Prevention has started detecting

Event Type: A Network Trojan was Detected
Signature: ET INFO Terse Unencrypted Request for Google - Likely Connectivity Check
Severity: high
Status Drop

on my wifes laptop, every 11minutes while active - ethernet or wifi.
Looking back at an email trial of notifications, it first occurred Apr 30, then July 6 for 11times, and then from Aug 1 full time every 11minutes when its on,
Its windows 10 computer, with Microsoft Defender fully uptodate.
I've done a full scan of the system, and booted with an offline scan.
I checked for any unknown programs but its a fairly clean computer from extra tools. I do have Synoglogy backup, which it seems does some virus scans. On the laptopmachine I have Acronis 2020 with backup to (yes you guessed ) Synology NAS DS218+
Also ran malwarebytes, and installed Avira to check it, and monitor it
They haven't found anything.

So seems harmeless, doing a "Google Connectivity Check", but seems to be in the manner of a quiet trojan waiting for instructions. Any idea if I should be concerned or what I might do about it.

The router is
Release Notes for RT2600ac | Synology Inc.

Destination IP: 142.251.214.132

alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET INFO Terse Unencrypted Request for Google - Likely Connectivity Check"; flow:established,to_server; content:"google.com"; http_host; isdataat:!1,relative; fast_pattern; pcre:"/(?:^|\.)google\.com$/W"; http_request_line; content:"GET /|20|"; depth:6; http_header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|User-Agent|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,7ca63bab6e05704d2c7b48461e563f4c; classtype:trojan-activity; sid:2036303; rev:2; metadata:created_at 2022_04_22, former_category HUNTING, performance_impact Moderate, updated_at 2022_04_22;)
 
Last edited:
Yes. I was wondering whether to boot Chrome to see what would happen. Also have firefox.
-- post merged: --

However I also have Chrome on my computer, and very active with it, and Threat Hazard isn't flagging anything from my computer . It does flag other web events occasionally originating from my computer "Potentially Bad Traffic".
 
The documentation for threat signatures is pretty limited (to non-existent) so searching for the signature name I get this hit...

https://any.run/report/824418a3fef8efa294e020aef3fb92787df0789d56da88486d6f156d5c0acdbd/dbe3e139-cc0b-4917-beb0-9d9df84c3a6d

It seems to be a malware scan report identifying something call SpyNote v8.6 G.exe. However, there are plenty of times that TP flags up alerts for legitimate callbacks and heartbeats to the major Internet companies for which your various apps need in order to work reliably.
 
Thanks fredbert for the hint. Well I guess I got the RT2600 to monitor for unexpected stuff, and it is dropping the connection.
I've uninstalled the apps I can - including Chrome, Spotify, Zoom , FoxiMobile App, Foxit Pdf Reader, Skype, Mozilla THunderbird, Firefox - After each removal, I've rebooted, and then the check attempt starts up again, on an 11minute interval.
So almost nothing left installed, except for Acronis and Sysnology backup.
I also loaded up "agent ransack" and searched the whole c: flash for a file "SpyNote" and nothing showed.
Seems like the next stage is to re-install windows 10, then possibly while I'm doing upgrade to Windows 11 with its claimed better security. Or could possibly go directly to Windows 11.
Any suggestions/insights appreciated.
 
I upgraded to Windows11 and its not come back. The Windows11 upgrade was very smooth.
However the last item I uninstalled was a "Synology Active Backup for Business Agent" and I didn't wait the 30minutes to see if the Events started up again. . Seems doubtful
 
Well I was mistaken, it started back up.
The last Windows 10 TP event was on 5th at 22:55, and I started download Windows 11 and then upgrade overnight.
No TP events emailed through while it was downloading, and I don't have a record of when it started upgrading, but I left it to run. Then checked on it about 6am on 6th.
Then started started up on the following day, 7th at 8:45am .
When not in use, and overnight we typically turn the laptops off. Our email is imap, so can be accessed on the phone.
When turning on the Laptop, the TP event typically starts up straight away,
Its a Dell Laptop, a fairly high end one, though it only has USB C and not ethernet. I added an external USB C to ethernet. About once a month it requires a bios upgrade, and that has been going on for 12months. It has Dell supplied Thunderbolt software . It could be something that Dell is doing - but that would be pretty crass, and not really that informative.
 
I would consider booting up the laptop in safe mode. Let it sit for a day then see what it does. If the problem stops, then you need to identify what programs are running on startup to see if you can identify root cause.
 
thanks @Coop777. I did do that under Windows10 and in safe mode for a couple of hours there where no TP events generated.
Looks like I might need to go back and compare between safe mode & standard mode, and also what happens on my computer.
Do you know of a bootlog analyzer? I found this but seems too complex Decode Measured Boot logs to track PCR changes - Windows security
 
install Wireshark to the laptop
capture on interface (wifi or eth, up to used network)
use filter:
ip.dst==142.251.214.132

then check which process is the connection enabler

or simple with netstat:
netstat -ano | findstr 142.251.214.132

done

Probably false positive event.
 
jeyare thanks for the suggestion . I haven't used wireshark in years, so good to fire it up.
It found some packets on wifi, but not on the Ethernet - which is over the USB-C.
I've only managed to capture 2 packets - even though more are detected by TP
So its a GET -
"5397","949.099526","10.66.66.192","142.251.214.132","TCP","118","[TCP Retransmission] 50273 → 80 [PSH, ACK] Seq=1 Ack=1 Win=131328 Len=64"

5384 946.720742 10.66.66.192 142.251.214.132 HTTP 118 GET / HTTP/1.1

0000 00 11 32 bf 0a 34 34 2e b7 f5 29 b8 08 00 45 00 ..2..44...)...E.
0010 00 68 16 36 40 00 80 06 00 00 0a 42 42 c0 8e fb [email protected]...
0020 d6 84 c4 61 00 50 8d 6e 8c fd 0c 15 8d 14 50 18 ...a.P.n......P.
0030 02 01 b2 dc 00 00 47 45 54 20 2f 20 48 54 54 50 ......GET / HTTP
0040 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 77 77 77 2e /1.1..Host: www.
0050 67 6f 6f 67 6c 65 2e 63 6f 6d 0d 0a 43 6f 6e 6e google.com..Conn
0060 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 ection: Keep-Ali
0070 76 65 0d 0a 0d 0a ve....

"9811","1587.696812","10.66.66.192","142.251.214.132","TCP","66","50331 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1"

Now trying to follow your suggestion for capturing a process.
So I'm trying to poll with
netstat -ano | findstr 142.251.214.132
but seems like it has to be very close to when it sends the packet.
 
Now trying to follow your suggestion for capturing a process.

Drama Popcorn GIF by Alexander IRL
 
Gosh ... good to have the evenings entertainment ... now I found that virus buried deep in the kernel .... oops sorry actually went off to dinner myself.
I left wireshark running, and it only caught one packet that mapped to a TP event.
Seems to not reliably detect them. I wasn't getting any more catches, so I rebooted the machine and started again .. (and went to dinner)
Actually looking at the routers ThreatPrevention screen, direct reporting, it is being detected about every 5.5 minutes, but I had the notification to say not advertis/email event faster than one every 10minutes.
So not having much luck sitting there and repeatidly doing "netstat" when I think it might be happening. Its perhaps too fast for netstat to figure out - though don't have any experience with netstat and how long a pipe opening exists for. The subsystem does retry, so should be reasonably long.

I did do a dump of processes - but of course there are a lot of them.
 
Ok I finally got a trace - thanks to @Gerard for suggestions:) and popcorn encouragement

I put "netstat -ano | findstr 142.251.214.132" into a continuous loop, and it detected
TCP 10.66.66.192:50380 142.251.214.132:80 ESTABLISHED 1572
or PID =1572
using tasklist for PID=1572 have
DellMobileConnectClient.e 1572 Console 1 25,308 K

DellMobileConnectClient.exe which seems is by Screenovate
 
you welcome

as was suggested - false positive

DellMobileConnectClient.exe
is one of the vendor’s mess installed into system.
Remove it.

or

Action:
Windows Firewall/Outbound Rules/New rule ….. disable outgoing traffic to the IP address:
Custom, Program (find the Dell program or All), Http protocol Port=80, any local IP, remote IP (as mentioned), Block the connection

Done
 
Thanks for the popcorn extravaganza and insights.

Certainty I figured out the RT2600's breadcrumb trail , and will uninstall the App.

Just wondering though, it seems like this is a naughty aspect of any app doing this. It started sporadically and then turned on full on Aug 1st. Could the app be compromised? It doesn't seem like its standard practice for an app being discontinued.
Is it a Trojan for something else? of course I don't want to find out on my system,
I'm going to do a bit of digital forensics - time of install/creation, manifest?. Any suggestions of places to submit it for analysis with its history.
 
From the signature details it was added in 22 April 2022. If that ties into when you first became aware of the alert (or can filter TP to see when it started) then the app [probably] didn't just start doing this but rather TP started to check for this activity.

There was a similar situation when new STUN signatures were added to check for high ports. I had enabled the STUN signatures of standard ports and guess that's why the new STUN rules were added as enabled. The result was a flood of alerts every day caused by IP voice services (certainly MS and Google ones). Plus the IP voices services stopped working reliably.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I misspoke. I should have said "limited to 5 Vlans". I'm not sure why Synology limits the number of Vlans...
Replies
41
Views
2,263
Replies
6
Views
1,245
That's what I have setup at home for about 50 devices (but with an RT2600). I have a 2 x Unifi AP's...
Replies
6
Views
1,649
  • Question
When I went to Wi-Fi Connect > Wi-Fi Settings > Radio > Advanced > Settings > Uplink swap menu opens up, I...
Replies
0
Views
742
  • Question
Many IOT with fixed position in house seem to struggle to connect to the nearest AP. I solved it by...
Replies
3
Views
1,538
  • Question
I have RT6600ax and WRX560 both wire back hauled to Netgear MS510TX. This switch's four 1GbE ports are...
Replies
5
Views
1,568
  • Question
Thanks for the reply fredbert. After doing more reading and brushing up on networks I was able to setup a...
Replies
2
Views
1,803

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top