Do I have a trojan?
-
Mods my apologies if I posted in the wrong forum pls move where appropriate.
Hi guys, So I've been running pfsense for 3 months and haven't had any issues. Last night after connecting my ASUS RT-AC68U to the lan port on the pfsense box (I had/have only one pc connected to pfsense)I logged on to pfsense admin page and saw the snort alerts tab (screen shot crop below) and got concerned. I then downloaded the logs and searched for "trojan" and sure enough there was other alerts with "trojan" "A Network Trojan was detected". That was the first time I've looked at logs and my first time seeing that alert type in snort. So I use a customized irc client called Chatty to get on twitch.tv so that I can be in several streams(channels) and the same time without having multiple chrome windows/tabs open. This IRC client (java) supports a twitch's whisper feature and when you get on it just pops up in a separate tab kind of like a pm of sorts, on the browser you get a "whisper" and it stays in the chat window no popups. I know that the IP in the snort alerts screenshot belong to twitch as I have logged on to twitch via chrome and can see that chrome is connected to similar ip's (192.16.64.212/192.16.64.xx) depending on what stream/channel you're in.
So I searched the snort alerts log and have seen a few more "TROJAN" entries in log (see screenshot below) my question is do I have a trojan? Should I really be concerned about the trojan alerts coming from twitch's ip's via the IRC client? Or is pfsense's way of telling me it's doing it's job and it blocked the "trojan"? I've scanned my pc for viruses/trojans/malware and have come back clean. I don't visit any warez sites or download any shady programs/cracks or what not. I am however concerned about those entries and any help would be appreciated, thanks in advanced.
![snort alerts.png](/public/imported_attachments/1/snort alerts.png)
![snort alerts.png_thumb](/public/imported_attachments/1/snort alerts.png_thumb)
-
50 views no replies :o ? I'm not really looking for a detailed explanation a simple yes have a trojan or no you don't would suffice. And should I be concerned the next time I see a trojan entry in the snort alerts tab/logs? Again a simple yes or no is all that's needed. Thanks.
-
I'm not an expert on Snort and didn't feel comfortable replying without talking out of my ass, but I am aware that Snort does flag some false positives, and this looks like one to me.
-
@KOM:
I'm not an expert on Snort and didn't feel comfortable replying without talking out of my ass, but I am aware that Snort does flag some false positives, and this looks like one to me.
Thanks KOM I appreciate your reply, maybe I should have posted this thread in the packages forum?
-
When you hide the "offending" address, I think it's pretty much irrelevant where you post this. Someone could at least check the IP reputation using some of the tons of online sources. Sigh. 192.16.64.0/21 is http://www.twitch.tv which hardly is a trojan.
-
You've established the snort alerts correspond with the use of this chat program, but what you need to do now to determine if its a trojan is find out if the chat program is doing anything over and above what you would expect it to do.
You suggest its a java program so a quick search might throw up a few tutorials in java debugging and see if you can find out what its doing internally.
Failing that, why not look around for some tools to show what file handles it might be using. If you are using windows, the sysinternals suite of programs is useful for seeing what files a program is using, and see if its using/accessing files you would expect it to. The thing to remember though is the files you see it accessing may not be all the files it access as some programs are very capable of accessing files on an ad-hoc basis. Likewise it might even be transmitting something across the net and then using pipes to communicate with another program which actually accesses files or sectors on a hard disk.
When an AV company decides some program code is a virus, they observe what it does and when necessary decompile it to inspect the program code. This process can take anything from a few hours to a few years for them to decide if its a virus or not, and requires shed loads of learning on the fly which puts alot of people off.
Expecting or anticipating certain human behaviours is a factor the spooks rely on enormously which is why they are big into psychology and developed the first IQ test out of some of their advances, which is partly why school reports are useful as they can target individuals (kids) whilst still at primary school and start setting them up without their or their parents knowledge. Health records, trips to the shrink are also useful for getting greater insight into their targets and most medical experts are not expert in computer security, besides its also why the NHS is so heavily valued in the UK, people are duped into thinking its useful for them when its more useful for the spooks.
The overriding issue is, do you trust your software and even if you trust it, do you trust relatives of the programmers and other people involved in said software you trust, to not inadvertently make it easier to hack the very software you trust? One way of putting it, do you know of any employees who have teenagers who are statistically very likely to have sex hormones coursing through their veins and if so, are statistically likely to visit a porn site which is statistically the best way to test your security systems and thus likely lead to their hardware and others hardware from getting hacked leading to the software you think you trust to being hacked and thus propagating the hack to many more unsuspecting individuals?
Ironically the UK Govt has just passed an update to the consumer rights law which make it easy to seek compensation from companies who infect someones computer systems. I cant help but see it as a backup in case the spooks cant get the new updated snoopers charter through Parliament which will make it legal for them to hack British subjects on home soil.
Just how far do you go to think these things through?
-
Eh. All the "trojan" alert says that it sees IRC-like chat/PM traffic on a port not normally used for IRC. If you have a Java application that uses IRC for chat, that would seem like perfectly expected state of things and not a trojan. If you don't trust the application even when it's talking to perfectly expected servers, simply stop using it.
-
When you hide the "offending" address, I think it's pretty much irrelevant where you post this. Someone could at least check the IP reputation using some of the tons of online sources. Sigh. 192.16.64.0/21 is http://www.twitch.tv which hardly is a trojan.
When you say "When you hide the "offending" address" are you talking about the red blocks in the screen shots I provided? If that's what you're talking about, its not an offending address it's just my IP that I didn't want to show in the screenshot. I already knew who those IP's belonged to, I was more concerned with why they were showing up in the snort alert tabs as a TROJAN. Is this just an alert telling me that it blocked a "trojan"?
Eh. All the "trojan" alert says that it sees IRC-like chat/PM traffic on a port not normally used for IRC. If you have a Java application that uses IRC for chat, that would seem like perfectly expected state of things and not a trojan. If you don't trust the application even when it's talking to perfectly expected servers, simply stop using it.
Yes it's a customized IRC Java application for twitch http://chatty.github.io/ , it's not that I don't trust the application, it's that I've been using pfsense for a 3 months and had never seen a Trojan alert not any other alert about IRC until the other night (and in logs) that I unplugged my pc from the lan port on the pfsense box connected a router (Asus RT-AC68U) so my pc lost internet for a min and the chatty irc client kept trying to reconnect that's why I have those alerts in the first screen shot . My concern was was not necessarily about the IP's as I knew they belonged to twitch, but more so about why it was getting flagged as a Trojan. doktornotor I really appreciate you taking the time to answer my concerns, you've put those concerns to rest. Thanks again!!
-
The first doesn't seem to be an issue. Just IRC running over a non-standard/ default port.
However, the second is related to Dealply, an adware extension/ add-on for browsers. It's normally installed as a bundle with some 'freeware' programs.
You can check the computer for this and remove it.
See: https://malwaretips.com/blogs/dealply-adware/