Traficom detects Gumblar Malware Traffic Coming from My Mac, but F-Secure Scanner Detects Nothing

Macuser1000Macuser1000 Posts: 5 Observer
edited December 2020 in F-Secure SAFE

Hi All,

I tried to find out help to this from my Internet connection providers, but they could not help. I also tried to find help from the F-Secure chat, but the chat person did not want to help.

I use the DNA Turvapaketti, which is of course the DNA product, but it uses F-Secure virus detecting technology and database as we all know. So, I have been informed from my Internet connection providers that Gumblar malware traffic is coming from my Internet connections. Ultimately, they got the information from Traficom. I have full scanned my Mac computer twice without any results. I also full scanned my Mac with the Antivirus X-Out, and it could not detect anything. I got the Antivirus X-Out from the Apple Store and I updated its virus detecting database.

The mac is only device I use on the Internet.

But one of my Internet connection providers say that criminals must have a remote control to my Mac and they can use my computer as a bot for malware traffic.

As there is no sign of any malware or virus in my Mac and, secondly, no malware cannot be detected by the DNA Turvapaketti (F-Secure-based) and by the Antivirus X-Out, the claim that criminals are using my Mac as a bot sounds really crazy!

I have also checked all the controls that could let others to use my computer and there is no sign of any remote control and there is no possibility for the remote control because I have prevented those.

Also my F-Secure-based virus scanner scans actively my computer, and it does not have given any signs of the malware. I have full scanned twice my Mac.

It should also be noticed that the Gumblar is ages-old technology and was for Windows operating systems like XP and 2000. If there is a new version of the Gumblar in my Mac, it has to be a new and very-hard-to-be-detected version of the Gumblar. It just does not make sense to make it look like the Gumblar.

Anyway, if it is true that there is a malware in my Mac, which the newest virus scanners cannot detect, there is a very serious information security fault in the F-Secure virus detecting databases. So, urgent measures for solving the issue are needed. Otherwise, we cannot trust in F-Secure-based products.

Answers

  • UkkoUkko Posts: 3,215 Superuser
    edited December 2020

    Hello,

    Sorry for my reply. I am only an F-Secure (their home solutions).

     but it uses F-Secure virus detecting technology and database as we all know.

    It is worth noting here that the branded solution and the current one from F-Secure can sometimes differ greatly. And, in particular, in recent days, security solution for the Mac platform with significant changes, improvements and new features.

    I am not sure how to check which version you have installed. But you can just check the available release notes - https://community.f-secure.com/safe-en/kb/articles/5272-whats-new-in-f-secure-safe-for-mac . This can be useful in understanding the set of features / version number compared to your installation.

    However, perhaps, the basic ones should be "universal" and indeed there is not much difference for general/basic possibilities.

    So, I have been informed from my Internet connection providers that Gumblar malware traffic is coming from my Internet connections.

    The mac is only device I use on the Internet.

    So, is it possible that kind of 'strange' neighbors can connect to your network?

    I mean, are they there? If so, for example, and if your network is with Wi-Fi - then to hack/guess password and use your network. If it is mostly Ethernet - well, there can be physical hack before your home (on the link from ISP). In general, this is a hugely fantastic scenario - but anyway.

    Another thing is "Router". Or what is the way your Mac is connected to Internet? Can it be something wrong with your Router model (known vulnerability or even 'unknown')? Is it possible to access web-panel (admin panel) of Router? And so things.

    But one of my Internet connection providers say that criminals must have a remote control to my Mac and they can use my computer as a bot for malware traffic.

    Actually, not relying on your case, but it is a fairly common situation. And in addition, of course they (ISP) simply cannot or do not want to understand a specific reason. They just found some abnormality and are trying to notify the client. And I do not think they said or mentioned that this is the Mac device itself involved (or did they?).

    I have also checked all the controls that could let others to use my computer and there is no sign of any remote control and there is no possibility for the remote control because I have prevented those.

    You mean on Mac settings / options?

    Also, remotely control can be limited to an installed 'application'/'script' (maybe even browser's addon/extension) with the ability to receive / act network communication (but I am not sure if such a thing is actual/exists for the Mac platform). So, can be really unnoticeable as such.

    Also my F-Secure-based virus scanner scans actively my computer, and it does not have given any signs of the malware. I have full scanned twice my Mac.

    Anyway, if it is true that there is a malware in my Mac, which the newest virus scanners cannot detect, there is a very serious information security fault in the F-Secure virus detecting databases

    I think you need to ask your ISP for more information. More specifics, more examples or some recommendations. For example, sign of trouble is trying to connect certain domain? Or something more?

    This is simultaneously with an attempt to discard possibilities for trouble with the router (DNS settings, in particular), some physical presence of someone and having other devices connected to the Internet

    Also, good to be sure that your device with all latest/available security updates and patches. Perhaps, there were some known/large troubles with Mac in recent years to be critical.

    And, basically, most of the modern security solutions will ignore user's  own actions (where it is supposed that to perform something tricky is possible only after multiple built-in security ways/mechanisms) and something specific and known harmful is not encountered. This is one of the reasons, why current F-Secure Mac solutions with many improvements.

    Thanks!

    // Also, I decided to read a little and search for information about this "Gumblar". Especially when it comes to Mac.

    Surprisingly, there are quite some references (and even "recent" ones). What can be said about mutually exclusive (or partially complementary, but not interrelated) things:

    • Many (different) ISPs use the same provider (third party partner or software/hardware) to detect anomalies in Internet traffic. Which can use a specific detection technique. Where there is some false positive signature.
    • The way in which providers serve and provide their routers, modems. And how someone is trying to exploit it.
    • Certain trouble/vulnerability with certain popular Mac software; or Router model; or system itself.

    But there is a reference about potential point as copying/spoofing modem's MAC address (if it is really technically possible on current day). When, as a result, completely third-party will be 'perceived' by ISP as you/your device/modem.

    I read about this point (with the reference to another web discussion) there: How do I get rid of a gumblar botnet - Apple Community

    where are users with an information that after replacement of the modem(?!) - situation will improve.

    for instance, topics/discussions were about different ISPs with 'close to each one' look. Rogers, Virgin Media, your one. With certain timeframe of 'visible' activity.

    Thanks!

    Rusli
  • Macuser1000Macuser1000 Posts: 5 Observer

    Hi, thanks for your comment. I appreciate it, but it is not really helpful. First, if there are really criminals who can control my Mac and the F-Secure-based virus scanner + other virus scanners cannot detect the malware in my computer, it is a death serious situation. If so, anyone with the Gumblar malware and the knowledge how to use it can access to Macs with the Mojave operating system and can remote control anybody's computer with the aforementioned setting. So, why even try to use the F-Secure-based virus scanners? In the case, they do not work anyway.

    I have all the latest security updates with the latest virus database updates. Just scanned my computer again and nothing. I checked wifi-logs etc.. Nothing. I am just scanning ports. So far so good and nothing there as well. The Firewall has been ON since I bought my Mac.

    Either the Finnish Internet administration, Traficom, which observes the malware traffic, is wrong with their claim or there is a dead serious, new malware which pretends to be the Gumblar for some reason. So, maybe there is a reason to be worried because criminals can use the malware to other computers as well. It seems to be very easy to them at the current situation and with the current virus scanners.

    When it comes to my Internet connection providers, they cannot give any proper advice because they do not any better than I what could be wrong. The advice from them is that please scan your computer with a different virus scanner etc. trivial. You do not need them for that. And I did that already. F-Secure could help me if they were willing to deep scan remotely my computer.

    And yes the Traficom can use a third party solution as you said, which does not work, or the one who uses it cannot use it correctly and that is why they get false results. But it is not helpful either because the Internet connection providers can close almost anytime my Internet connections for continuous alleged malware traffic I cannot detect with any virus scanner or any other way. That is anyway the fact.

    I also read the article under the link you mentioned in your answer. It was not helpful as well as I do not have any idea of what to do for the problem because I cannot detect any problem in my computer which allegedly sends malware traffic. I appreciate any methods to test routers and modems for this case. I could not find any that could be applied to my case.

    If the Traficom is really sloppy with its analysis, then there is needed legal actions against them because this takes a lot my time and because of all these scare tactics to close my Internet connections in this life threatening situation we are living now with all the Covid-19 cases and lockdown. So, if this all malware hunting is done in vain because of the Traficom cannot do their job correctly, then they are responsible for their false claims.

    Ukko
  • Macuser1000Macuser1000 Posts: 5 Observer

    And addition to my answer, my Internet connection, of course, has been behind a password. Also all addons have been removed. I have denied all the remote control options in my system preferences. So, it has to be a new very effective malware if they still can control my computer and virus scanners with the newest databases cannot detect the malware.

    Ukko
  • UkkoUkko Posts: 3,215 Superuser

    Hello,

    Thanks for your reply and response!

    First, if there are really criminals who can control my Mac and the F-Secure-based virus scanner + other virus scanners cannot detect the malware in my computer, it is a death serious situation. If so, anyone with the Gumblar malware and the knowledge how to use it can access to Macs with the Mojave operating system and can remote control anybody's computer with the aforementioned setting. So, why even try to use the F-Secure-based virus scanners? In the case, they do not work anyway.

    So, I did not write that your system with malware. Just trying to figure out what the options might be, and that perhaps this is false positive information from your ISP (or is not directly related to malware)

    Then, they are not always criminals. And it can also even be just an automated process (with no control or with lost control). In addition, potentially quite often user interaction is required (so, only piece of malware and the knowledge how to use it - not enough for access to anyone's system). Besides that, if some legitimate software is involved in this, then it is harder to detect it (well, or "impossible", including that it uses its described functionality or with the consent of the user). Simply put, to call any suspicious software, script or file malicious is also illegal in some way.

    Nevertheless, if something 'known' malicious appears or is detected (or became known), then there is a benefit from security software with a traditional approach (by signatures). But the very fact of extended protection, improved detection ways is also important. So, such software (including F-Secure ones) is useful against certain types of threats and against some sorts of unknown ones. But, of course, from time to time there can be exceptions. Sometimes, only temporary. Your certain situation is more looks like about false positive (wrong information from ISP) or something is too tricky for detection by used means.

    I have all the latest security updates with the latest virus database updates. Just scanned my computer again and nothing. I checked wifi-logs etc.. Nothing. I am just scanning ports. So far so good and nothing there as well. The Firewall has been ON since I bought my Mac.

    That is good! And that for sure means there is no some ordinary malicious activities / items.

    Either the Finnish Internet administration, Traficom, which observes the malware traffic, is wrong with their claim or there is a dead serious, new malware which pretends to be the Gumblar for some reason.

    Apparently it is unknown why they call it Gumblar and what they mean by using this term.

    When it comes to my Internet connection providers, they cannot give any proper advice because they do not any better than I what could be wrong.

    Yes, this is a clear point. But I mean they could(?) provide additional information like. On that day, at this hour, your(?) device or you IP, tried to ping/connect/open website/IP/resource that is known as part of the Gumblar botnet. Or what is the reason for claiming your devices / network are involved in something? They should know.. probably.

    I appreciate any methods to test routers and modems for this case. I could not find any that could be applied to my case.

    Perhaps, you may have done most of what I could suggest. But, the very basic ones (against DNS hijack) is F-Secure Router Checker - https://www.f-secure.com/en/home/free-tools/router-checker

    Where, in fact, it is simply checking the fact of using trusted (well-known) DNS servers (most often provided by the provider). There are also many alternative services (including more advanced ones). But this is, in fact, just a replacement for manually checking system settings, devices, and so on. Maybe to check against dubious router settings (admin panel, configuration panel), device settings with its network part.

    And I did that already. F-Secure could help me if they were willing to deep scan remotely my computer.

    Perhaps, you could try to contact them once more. Or maybe they are really can not to assist you based on its contracts/legal matter of branded solution (privacy/terms and so things). Where they are not eligible to do so.

    If your solution provider cannot help - you can, perhaps, to insist on escalating case to F-Secure engineers. Actually, F-Secure Mac team can respond here on community too (maybe).

    And yes the Traficom can use a third party solution as you said, which does not work, or the one who uses it cannot use it correctly and that is why they get false results. But it is not helpful either because the Internet connection providers can close almost anytime my Internet connections for continuous alleged malware traffic I cannot detect with any virus scanner or any other way. That is anyway the fact.

    Did you inform them that system is scanned, other steps - done. What is their response? "Malware traffic is still there"?

    In fact, those mentioned topics have words that even with completely disconnected devices and other things - only a "modem" in action - they were also notified of suspicious traffic. Actually, that opinion about MAC address spoofing (of modem, not router) is a somewhat fancy - but sounds for 'provided' stories/setting/information quite suitable.

    So, it is clearly need to know what is a "trigger" for claim about the suspicious event.

    And just as a general information, having an open port is not always the only way to exploit a hole in a router. Also, some trusted application can perform questionable actions as a result of an update or incident. Sometimes blatantly malicious things are not used - so may not be detected by security software. I am not very familiar with the Mac platform and its threats. So it's hard to say, but with Windows - there have been completely fairy and "magical" scenarios.

    Again, if your set up is indeed only one device (and no anything else potentially connected to your network). All is fine with the device. It is indeed sounds as a completely strange situation. But

    So, it has to be a new very effective malware if they still can control my computer and virus scanners with the newest databases cannot detect the malware.

    Likely that proper wording can be not as "can control your computer / cannot detect the malware". Because it can also be some fileless thing (or somewhat whitelisted/allowed to perform certain type of actions) with use something that can be 'dangerous'. Thus, it can be not about a real "control your computer" (is not possible to perform 'any' action).

    So, if any piece of "code" will try, for example, to connect domain (listed as part of botnet/malicious activity) and this is enough for your ISP - then... in fantastic view - but it is can be even watched advertisement(?!).

    Sorry for my English! Good if someone else will suggest something.

    Thanks!

    Laksh
  • Macuser1000Macuser1000 Posts: 5 Observer

    I also checked my computer with EtreCheck and there is no sign of malware programs. Thus, it seems that the Traficom did a false analysis. Anyway, if anybody has suggestions how to find out malware / keylogger programs in Mac, thanks.

  • johanna20johanna20 Posts: 1 New Member

    @Macuser1000 did you find out anything new? I have the same problem, last week Traficom told my internet connection provider that i have gumblar; cannot detect it with f-secure safe...

  • Macuser1000Macuser1000 Posts: 5 Observer

    Hi Johanna20,

    I am sorry for the late reply. I was waiting the results of the analysis. A F-Secure expert found traces of an Adware program in my computer. It is called net.downloadhelper.coapp.app . I googled it and it is a Firefox extension for downloading YouTube videos. I removed it after the Traficom report. The Antivirus X-Out found the downloader as a suspicious program, but the F-Secure -based virus scanner did not. Anyway, it has gone now.

    So, things should be now ok. I have multiple virus scanners etc. installed in my computer. I am afraid that is the way to go in the future.

    Ukko
  • TappendaaliTappendaali Posts: 6 New Member

    Hi @Macuser1000

    I have same problem with my internet provider Elisa. Elisa's guy said my internet connection will be disconnect if I do not get the issue fixed. I was scanned my computers (iMac and MacBook) with F-Secure Safe, Avast Antivirus and Antivirus X-Out. Nothing found. I Did not found either that downloadhelper extension from Firefox extension list. I have active F-Secure Safe Total in both machines. Guy from F-Secure said that Safe would be found that Gumblar malware.

    So I don't know is it or not in my iMac or MacBook.

  • RusliRusli Posts: 1,002 Adventurer
    edited January 4

    Hi

    Firstly, I do not know what your brand of your wifi router. You are using currently.

    I suggesting to update your Wifi router firmware. Which A Must that many users did not update their Wifi Router Firmware. Make sure they are up to date. After updating the Wifi router update, do a reset to wifi router and reconfigure your router settings again. And disable the UPNP settings from the router. Make sure you change the admin password of your router and change the user name. Make sure you turn on the firewall. Disable any SSH on the wifi. Make use of HTTPS for login to your wifi router.

    Check your router with GRC Shields-Up. https://www.grc.com/default.htm

    Check your mac with F-Secure Router check tool. https://www.f-secure.com/en/home/free-tools/router-checker

    After done that, have you try other antivirus such as using AVG Antivirus for Mac from this link.

    Do a full scan on your mac computer.

    Another thing that I need to check, did you have any Java installed? You need to uninstall it and download the latest version of Java. If you are not using any Java application or software you can uninstall the program from your mac.

    You can use other set of tools by downloading from Objective-See, https://objective-see.com/products.html website and download tools such LuLu that is something similar to Little snitch https://www.obdev.at/products/littlesnitch/index.html and check for any incoming and outgoing network. There are other tools to check, such as KnockKnock, TaskExplorer, KextViewr. Just to name a few from Objective-See. Check to see if there is anything that it can find.

    Check your other devices in your home. Such as Windows PC, Androids phones. Do a full scan.

    If that still persist, i suggesting to backup all your files to another external hard disk. And do format your mac and reinstall your macos.

    Try to uninstall any Suspected Extension in your web browser that might be the potential problems.Try to reset your Google Chrome Web Browsers. And Clear all the Privacy.

    Use a CCleaner https://www.ccleaner.com/download to clean all your mac download the free version.

    If you are technically incline. Maybe you can try to use PfSense Firewall. You can built a system base on computer hardware and build yourself a ethernet base firewall router. Put that in between your ISP modem, and your wifi router.

    Ukko
  • RusliRusli Posts: 1,002 Adventurer
    edited January 5

    Or try CleanMyMac. Download and click for Malware options from CleanMyMac app.


    *** Please take note to uninstall the Adobe Flash for both MACOS and Windows as there is no support ***

    https://www.adobe.com/products/flashplayer/end-of-life.html

  • RusliRusli Posts: 1,002 Adventurer

    Try the Objective-See Netiquette from this link to check the network. https://objective-see.com/products/netiquette.html

This discussion has been closed.