Reply
Occasional Contributor
buchemi1
Posts: 5
Accepted Solution

Botnet (Virus) Activity browser message

When I opened Internet Explorer today, I got the following message displace by TWC:

 

Please be aware that Time Warner Cable has received a report of unwanted Internet activity being

transmitted from a machine connected to the cable modem on your Time Warner Cable Internet connection. 

This violates the Time Warner Cable AUP (Acceptable Use Policy) for your residential account. 

 

I have checked that all anti-virus and anti-malware software is up to date. The scans revealed no viruses/bots. This week, I have been using the Dynamic DNS setting in the TWC Ubee modem to allow a domain name that I own to resolve to a local computer connected to the modem. I am a developer and do this so I can view the work on my computer away from home. Does running a home server in this way trigger the TWC systems to send a message in the browser as I described? I have never had a problem in the past with this.

Please use plain text.
TWC Employee
MegaMasterX
Posts: 143

Re: Botnet (Virus) Activity browser message

In an ongoing effort to snuff out the botnet activity on our network, your DyDNS setting may have triggered this because some botnets forcefully change the DNS settings to modify your network traffic.  You can contact customer service and request to talk to the Security & Abuse department to let them know that you are simply using DyDNS and have them bypass the "modem quarantine" triggered by that. 

___________________________________________________
"Controlling complexity is the essence of computer programming" - Brian Kernighan
Advanced Product Support - NC
Remember, if we have solved your issue, feel free to click "Accept as Solution!"
Please use plain text.
TWC Employee
SecurityAdvice
Posts: 2

Re: Botnet (Virus) Activity browser message

Hello buchemi1 and MegaMasterX,

 

I'm sorry I couldn't respond to this earlier. Unfortunately, MegaMasterX provided some incorrect information.

 

Your DNS selections (including Dynamic DNS, or using other legitimate DNS sources such as Google) will not trigger a Botnet quarantine. This quarantine triggers because a computer connected to your network has an infection that is part of network of computers controlled by another party unknown to you.

 

They can use your computer for any number of activities, typically without your knowledge.

 

Worse, these infections are not typically simple viruses, or even trojan horses. They can include Rootkits, which are the most insidious class of infection, as there are few comprehensive security programs that can detect and remove a wide number of this kind of malicious code. Your average anti-virus, and even anit-malware program, will not find these issues (much less remove them!).

 

In short, if you see a quarantine message, it is very likely legitimate, and always a good idea to reach out to the security department for more information! Most of their quarantine messages include their direct phone number.

 

Please use plain text.
Occasional Contributor
buchemi1
Posts: 5

Re: Botnet (Virus) Activity browser message

I understand what you mean, however I have already done a thorough virus/malmare/rootkit scan on all machines connected to the modem (I don't use the wireless feature on the modem). I was using DynDNS service, but have since disabled it. In order to use DynDNS and resolve a domain name to a conntected machine, one has to logon to the TWC modem, enable Dynamic DNS, configure the Dynamic DNS settings, and enable port forwarding on port 80. This allows a user to go to www.mydomain.com from any computer on the World Wide Web and it will resolve to my local machine connected to the TWC modem. This is a common practice for developers like myself to demonstrate their work to customers. Now, according to what MegaMasterX told me in another post, TWC subscriber are not supposed to logon to their TWC provided modem and change settings. I did not know this before. It makes sense to me that it would generate a Botnet/Violation of Acceptable Use Policy message because the system would have detected changes to the default settings of the modem and it would look like you are running some type of P2P file sharing or who knows what. That said, I reset the modem to the factory defaults and quit using DynDNS.

Please use plain text.
New Contributor
dianagram
Posts: 2

Re: Botnet (Virus) Activity browser message

[ Edited ]

Came home last night, tried to get on Internet, was met with warning screen from Time Warner (no pun intended) stating that my service was suspended due to suspected "Bot" activity emanating from either my PC or my local area network. I had to pledge to thoroughly check my system/LAN for malware (I did NOT take their suggestion of reformatting my hard drive). I use ZoneAlarm Security Suite, and it reported no incidents.  I checked the network .... seemed fine, no reported attempts to gain access from outsiders. I tried (unsuccessfully) to change my router password (its still the same as it was .... it hasn't been changed without my knowledge). I checked to ensure that there is no "guest access" allowed on my network. I scanned my system with 3 different malware programs (including Malwarebytes and SpyBot) .... came up with only a relatively tame shopping bot and a win32.downloader.gen malware, which I instantly erased. I took TWC's recommendation and used RUBotted from CNET, with no issues/alerts.  Doing a "deep scan" now while I am at work ... and the beat goes on.  I am using a Netgear WPN2000 router. No direct phone number was given in the alert from TWC.

Please use plain text.
Contributor
Xeneth
Posts: 63

Re: Botnet (Virus) Activity browser message

Dyndns settings should have no affect with this and should not trigger the Botnet block.  I sue DynDNS myself.

 

Likely either someone reported your IP for botnet activity, or traffic related to botnet activity was directly detected comming from your modem.

 

Antivirus and other scans are not likely to detect a botnet because it may not be a virus.  MalwareBytes is more likely because it goes beyond the classic "virus" deffinition, but still not garanteed.  Best bet is to find out what info you can from TWC about the trigger, and track it down to disable it.  You can use sites such as "http://www.techsupportforum.com/" to help.

 

If you are uncomfortable with working on it, you may need to find someone who can.  Make sure they know what they are doing.  There are to many out here who know the basics and cannot deal with anything out of the norm. (Much like you tried with your anti-virus)

I see to many with good legs who refuse to walk,
good eye's who refuses to see,
and good heads who refuses to think.
Please use plain text.